RE: URL Scan on OWA
From: Lisa Cozzens [MSFT] (lcozzens_at_online.microsoft.com)
Date: 08/01/03
- Previous message: Keith W. McCammon: "Re: Security Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Jul 2003 22:02:04 GMT
Sure thing. Here's what you need to do:
1. Open C:\WINNT\system32\inetsrv\urlscan\urlscan.ini in Notepad
2. Locate the section called [DenyUrlSequences]. In the default
urlscan.ini, this is at the very bottom of the file.
3. Locate the line containing .. and place a semicolon (;) in front of it.
This comments it out.
4. Repeat step #3 for the line containing &, along with any other symbols
you want to allow in OWA subject lines (% would be another candidate...)
5. Save the urlscan.ini file and restart IIS.
For more information on fine-tuning URLScan:
326444 HOW TO: Configure the URLScan Tool
http://support.microsoft.com/?id=326444
This article explains all the options in the urlscan.ini file in detail.
Hope this helps,
Lisa
--------------------
> Hello,
>
> I've set up a OWA (front end) on our DMZ. The recommended template for OWA
> is used on URLScan.
>
> The problem is that it blocks URLs containing "&" and ".." signs. This is
> very disturbing for our users because many emails contains .. and "&" and
> ".." signs in subject line.
> Is there any workaround or tools to solve this problem without
comprimising
> security?
>
> According to last months logs there are no attempted attacks using "&" and
> ".." in URLs, just our users trying to access email containing the blocked
> sequences.
>
>
>
> Thanks in advance!
>
>
> /B.
>
>
>
-----
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
© 2003 Microsoft Corporation. All rights reserved.
- Previous message: Keith W. McCammon: "Re: Security Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
