Re: IIS5.0 and IIS lockdown/hardening tool/security
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: Sat, 12 Jul 2003 08:37:30 -0700
You should just download URLscan, unpack it, and read the ini file.
There is a fair amount of customization, room to over tighten or to
leave things too loose.
IIRC if by DevStudio you mean Visual Studio, then you need FPSE
or fileshare access
"Dave" <firstname.lastname@example.org> wrote in message
> Thanks for the response. I scanned some other messages about URLScan and I
> had a few other questions that I hope you can help me with.
> Is it possible to customize URLScan by web service, folder, or some other
> application specific settings? Does it simply look for references to file
> extensions without regard to how the file will be accessed? From what I've
> seen in other posts here it seems that URLScan has limited configurable
> re: FPSE...If these are not installed will this effect DevStudio? I've
> advised that if FPSE is not installed on development machines then
> developers will be unable to develop web services. Do you have any
> information that would corroborate or refute this?
> Thanks again.
> "Herb Martin" <news@LearnQuick.com> wrote in message
> > > We have a DOTNET web service built with the 1.1 framework and we are
> > > targeting
> > > server machines running IIS 5.0+. We have been advised to run the IIS
> > > hardening/lockdown tool for additional security. Is anyone aware of
> > > problems or issues that will result from this? What problems will we
> > if
> > > FrontPage Server extensions are not installed?
> > As you may note if you watch the IIS newsgroups for a few
> > hours, the IIS Lockdown Wizard and the URLScan it installs
> > can affect access to web pages (mostly based on forbidding URLs
> > that reference certain extensions like DLL, EXE, ASP, etc.
> > You will need to tune your URLScan.ini
> > This shouldn't be affected by FPSE, but those who do run FPSE
> > note these same (class of) problems.