Re: IIS5.0 and IIS lockdown/hardening tool/security

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/12/03


Date: Sat, 12 Jul 2003 08:37:30 -0700


Dave,
You should just download URLscan, unpack it, and read the ini file.
There is a fair amount of customization, room to over tighten or to
leave things too loose.
IIRC if by DevStudio you mean Visual Studio, then you need FPSE
or fileshare access

"Dave" <kdlevine@wi.rr.com> wrote in message
news:%23xKMQvGSDHA.2116@TK2MSFTNGP12.phx.gbl...
> Thanks for the response. I scanned some other messages about URLScan and I
> had a few other questions that I hope you can help me with.
>
> Is it possible to customize URLScan by web service, folder, or some other
> application specific settings? Does it simply look for references to file
> extensions without regard to how the file will be accessed? From what I've
> seen in other posts here it seems that URLScan has limited configurable
> settings.
>
> re: FPSE...If these are not installed will this effect DevStudio? I've
been
> advised that if FPSE is not installed on development machines then
> developers will be unable to develop web services. Do you have any
> information that would corroborate or refute this?
>
> Thanks again.
>
> Dave
>
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:OpX1fjCSDHA.2480@tk2msftngp13.phx.gbl...
> > > We have a DOTNET web service built with the 1.1 framework and we are
> > > targeting
> > > server machines running IIS 5.0+. We have been advised to run the IIS
> > > hardening/lockdown tool for additional security. Is anyone aware of
any
> > > problems or issues that will result from this? What problems will we
> have
> > if
> > > FrontPage Server extensions are not installed?
> >
> > As you may note if you watch the IIS newsgroups for a few
> > hours, the IIS Lockdown Wizard and the URLScan it installs
> > can affect access to web pages (mostly based on forbidding URLs
> > that reference certain extensions like DLL, EXE, ASP, etc.
> >
> > You will need to tune your URLScan.ini
> >
> > This shouldn't be affected by FPSE, but those who do run FPSE
> > note these same (class of) problems.
> >
> >
> >
>
>



Relevant Pages

  • Re: IIS5.0 and IIS lockdown/hardening tool/security
    ... I scanned some other messages about URLScan and I ... >> FrontPage Server extensions are not installed? ... the IIS Lockdown Wizard and the URLScan it installs ... > This shouldn't be affected by FPSE, but those who do run FPSE ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS5.0 and IIS lockdown/hardening tool/security
    ... >extensions without regard to how the file will be accessed? ... But URLScan can be configured to allow FPSE, ... >advised that if FPSE is not installed on development machines then ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 5.0 doesnt seem to be working
    ... i think that this is related to URLScan. ... Kristofer Gafvert - IIS MVP ... "Dave" wrote in message ... > Yes, I have installed UrlScan, but I set the deny extensions on, so it ...
    (microsoft.public.inetserver.iis)
  • Re: Disable HTTP-Methods
    ... why not use urlscan? ... it's very useful and allow customization. ... If you don't really want to use it, write your own isapi filter, ... and control from there. ...
    (microsoft.public.inetserver.iis.security)