Re: Disable trace and track verbs

From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 02/12/04 

Date: Thu, 12 Feb 2004 08:25:16 -0800

Hello,

Can you please post the UrlScan log file where you say that it's not
blocking OPTIONS and TRACE? Be sure the "net stop w3svc" and "net start
w3svc" right before making the OPTIONS and TRACE requests, so that the
UrlScan configuration dump is in the log.

Also, TRACE and TRACK are not the same thing. They are very similar, and
appear the same to the client. The difference is that TRACE will produce an
entry in the w3svc logs, and TRACK will not.

Thank you,
-Wade A. Hilmo,
-Microsoft

<anonymous@discussions.microsoft.com> wrote in message
news:f4b901c3f154$301671b0$a501280a@phx.gbl...
> I understand what u are saying, but URLscan will not
> intercept that command yet as IIS will still respond to
> an OPTIONS and TRACE command even with it disabled.
>
> I have tried all ways, but even though it is truley
> diasabled and I know there is not compromise, if I go and
> give an OPTIONS command or a TRACE command, IIS will
> respond.
>
> Trace and track are the same command?
>
> this only presents a problem when present security test
> results to a management board and they ask why we are
> getting a false failure when using a outside security org
> to check the firewall and webserver.
> >-----Original Message-----
> >I don't see track in my IIS6. I see -
> >
> >Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
> >
> >by default option is not allow in urlscan [allowverbs]
> section.
> >so the above is not display when you use HEAD/GET/PoST
> >
> >--
> >Regards,
> >Bernard Cheah
> >http://support.microsoft.com/
> >Please respond to newsgroups only ...
> >
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:ebd401c3f100$5d710d90$a001280a@phx.gbl...
> >> IF you do a
> >>
> >> OPTIONS / HTTP/1.1
> >>
> >> you will still see TRACK as an option. THis is what is
> >> causing security checkers to fail. Is there a way to
> get
> >> this response removed?
> >>
> >> >-----Original Message-----
> >> >Are the responses 200 or 404?
> >> >Are you using a RejectResponseUrl that points to
> content?
> >> >
> >> >--
> >> >//David
> >> >IIS
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights.
> >> >//
> >> >"Rob" <anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >news:e61f01c3f030$dfc98bd0$a601280a@phx.gbl...
> >> >I have installed URLScan and i am still get a respond
> on
> >> >my web site to trace and track commands. I thought
> >> >URLScan 2.5 woul take care of it. I have the
> AllowVerbs
> >> >set to 1 and then the very TRACE and track are not in
> >> >that section.
> >> >
> >> >Any ideas?
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: splice/tee bugs?
    ... testing using my modified version of your test program, ... command line: ... pipes are changed in between the _prep calls and link_pipe. ... Call Trace: ...
    (Linux-Kernel)
  • Interesting experience with execution traces
    ... surprised about the behaviour of the enterstep / leavestep commands. ... Invoke command for every tcl command which is executed inside the ... just before the actual execution takes place ... ... trace add execution sum ...
    (comp.lang.tcl)
  • Re: Tcl the misunderstood
    ... an article I wrote in order to promote Tcl, ... Anyway, I definitely lacked "trace" examples, maybe even combined with Tk ... entry widgets. ... understanding the power of the 'after' command. ...
    (comp.lang.tcl)
  • Re: trace error
    ... Yes, more or less, I think, with a write trace on::errorInfo. ... last time I asked for core support on a traceback more ... better than a write trace on::errorInfo. ... What *is* really an unwinding step for this: each time a command ...
    (comp.lang.tcl)
  • Re: Disable trace and track verbs
    ... I understand what u are saying, but URLscan will not ... intercept that command yet as IIS will still respond to ... an OPTIONS and TRACE command even with it disabled. ...
    (microsoft.public.inetserver.iis.security)