Re: Disable trace and track verbs

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 02/12/04

• Next message: David Wang [Msft]: "Re: Disable trace and track verbs"
• Previous message: Bernard: "Re: Disable trace and track verbs"
• In reply to: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Next in thread: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Reply: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 12 Feb 2004 15:17:14 +0800

I don't see track in my IIS6. I see -

Public: OPTIONS, TRACE, GET, HEAD, POST\r\n

by default option is not allow in urlscan [allowverbs] section.
so the above is not display when you use HEAD/GET/PoST

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
<anonymous@discussions.microsoft.com> wrote in message
news:ebd401c3f100$5d710d90$a001280a@phx.gbl...
> IF you do a
>
> OPTIONS / HTTP/1.1
>
> you will still see TRACK as an option.  THis is what is
> causing security checkers to fail.  Is there a way to get
> this response removed?
>
> >-----Original Message-----
> >Are the responses 200 or 404?
> >Are you using a RejectResponseUrl that points to content?
> >
> >-- 
> >//David
> >IIS
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >//
> >"Rob" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:e61f01c3f030$dfc98bd0$a601280a@phx.gbl...
> >I have installed URLScan and i am still get a respond on
> >my web site to trace and track commands.  I thought
> >URLScan 2.5 woul take care of it.  I have the AllowVerbs
> >set to 1 and then the very TRACE and track are not in
> >that section.
> >
> >Any ideas?
> >
> >
> >.
> >

---

• Next message: David Wang [Msft]: "Re: Disable trace and track verbs"
• Previous message: Bernard: "Re: Disable trace and track verbs"
• In reply to: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Next in thread: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Reply: anonymous_at_discussions.microsoft.com: "Re: Disable trace and track verbs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Disable TRACE IIS 6 ... I have installed urlscan and allowed only GET, HEAD, POST verbs ... URLScan will reject PUT with 404 if it is running so it looks like ... TRACE has special code in IIS that skips over URLScan's attempt to ... Consider the security setting of Known Extensions -- IIS returns 404 ... (microsoft.public.inetserver.iis.security) Re: Disable trace and track verbs ... I understand what u are saying, but URLscan will not ... intercept that command yet as IIS will still respond to ... an OPTIONS and TRACE command even with it disabled. ... (microsoft.public.inetserver.iis.security) Re: Disabling HTTP Trace Without using URL Scan ... you can install UrlScan 2.5 without the lockdown tool. ... If you have a hard core goal of disabling TRACE without any additional ... (microsoft.public.inetserver.iis.security) Re: Disable trace and track verbs ... His latest post shows it was another urlscan that hosted in ISA... ... for IIS 6.0, both TRACE and TRACK are logged by IIS. ... >> an OPTIONS and TRACE command even with it disabled. ... (microsoft.public.inetserver.iis.security) Re: URLscan and mapping ... OPTIONS and put it in [AllowVerbs] ... I guess I need to read up on urlscan ... >> to restart iis services. ... >> Rgds. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)