Re: Disable trace and track verbs

anonymous_at_discussions.microsoft.com
Date: 02/12/04 

Date: Thu, 12 Feb 2004 02:36:58 -0800

I understand what u are saying, but URLscan will not
intercept that command yet as IIS will still respond to
an OPTIONS and TRACE command even with it disabled.

I have tried all ways, but even though it is truley
diasabled and I know there is not compromise, if I go and
give an OPTIONS command or a TRACE command, IIS will
respond.

Trace and track are the same command?

this only presents a problem when present security test
results to a management board and they ask why we are
getting a false failure when using a outside security org
to check the firewall and webserver.
>-----Original Message-----
>Well, then use URLScan to disable OPTIONS.
>
>URLScan isn't changing IIS code; it's intercepting
requests prior to IIS
>processing them and then rejecting them --, so even
though URLScan denies
>TRACK and TRACE, IIS itself still thinks it is able to
handle them and hence
>responding that way in OPTIONS.
>
>--
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
><anonymous@discussions.microsoft.com> wrote in message
>news:ebd401c3f100$5d710d90$a001280a@phx.gbl...
>IF you do a
>
>OPTIONS / HTTP/1.1
>
>you will still see TRACK as an option. THis is what is
>causing security checkers to fail. Is there a way to get
>this response removed?
>
>>-----Original Message-----
>>Are the responses 200 or 404?
>>Are you using a RejectResponseUrl that points to
content?
>>
>>--
>>//David
>>IIS
>>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>>//
>>"Rob" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:e61f01c3f030$dfc98bd0$a601280a@phx.gbl...
>>I have installed URLScan and i am still get a respond on
>>my web site to trace and track commands. I thought
>>URLScan 2.5 woul take care of it. I have the AllowVerbs
>>set to 1 and then the very TRACE and track are not in
>>that section.
>>
>>Any ideas?
>>
>>
>>.
>>
>
>
>.
>

Relevant Pages

  • Re: Disable trace and track verbs
    ... His latest post shows it was another urlscan that hosted in ISA... ... for IIS 6.0, both TRACE and TRACK are logged by IIS. ... >> an OPTIONS and TRACE command even with it disabled. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Disable trace and track verbs
    ... blocking OPTIONS and TRACE? ... Be sure the "net stop w3svc" and "net start ... UrlScan configuration dump is in the log. ... > an OPTIONS and TRACE command even with it disabled. ...
    (microsoft.public.inetserver.iis.security)
  • Re: splice/tee bugs?
    ... testing using my modified version of your test program, ... command line: ... pipes are changed in between the _prep calls and link_pipe. ... Call Trace: ...
    (Linux-Kernel)
  • Interesting experience with execution traces
    ... surprised about the behaviour of the enterstep / leavestep commands. ... Invoke command for every tcl command which is executed inside the ... just before the actual execution takes place ... ... trace add execution sum ...
    (comp.lang.tcl)
  • Re: Tcl the misunderstood
    ... an article I wrote in order to promote Tcl, ... Anyway, I definitely lacked "trace" examples, maybe even combined with Tk ... entry widgets. ... understanding the power of the 'after' command. ...
    (comp.lang.tcl)