Re: Disable trace and track verbs
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 02/13/04
- Next message: Bernard: "Re: IIS 5 - Timeout Setting questions and problem"
- Previous message: Bernard: "Re: SSL Certificate"
- In reply to: Wade A. Hilmo [MS]: "Re: Disable trace and track verbs"
- Next in thread: David Wang [Msft]: "Re: Disable trace and track verbs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 Feb 2004 18:48:53 +0800
His latest post shows it was another urlscan that hosted in ISA...
for IIS 6.0, both TRACE and TRACK are logged by IIS.
-- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message news:u0qj9SY8DHA.2832@tk2msftngp13.phx.gbl... > Hello, > > Can you please post the UrlScan log file where you say that it's not > blocking OPTIONS and TRACE? Be sure the "net stop w3svc" and "net start > w3svc" right before making the OPTIONS and TRACE requests, so that the > UrlScan configuration dump is in the log. > > Also, TRACE and TRACK are not the same thing. They are very similar, and > appear the same to the client. The difference is that TRACE will produce an > entry in the w3svc logs, and TRACK will not. > > Thank you, > -Wade A. Hilmo, > -Microsoft > > <anonymous@discussions.microsoft.com> wrote in message > news:f4b901c3f154$301671b0$a501280a@phx.gbl... > > I understand what u are saying, but URLscan will not > > intercept that command yet as IIS will still respond to > > an OPTIONS and TRACE command even with it disabled. > > > > I have tried all ways, but even though it is truley > > diasabled and I know there is not compromise, if I go and > > give an OPTIONS command or a TRACE command, IIS will > > respond. > > > > Trace and track are the same command? > > > > this only presents a problem when present security test > > results to a management board and they ask why we are > > getting a false failure when using a outside security org > > to check the firewall and webserver. > > >-----Original Message----- > > >I don't see track in my IIS6. I see - > > > > > >Public: OPTIONS, TRACE, GET, HEAD, POST\r\n > > > > > >by default option is not allow in urlscan [allowverbs] > > section. > > >so the above is not display when you use HEAD/GET/PoST > > > > > >-- > > >Regards, > > >Bernard Cheah > > >http://support.microsoft.com/ > > >Please respond to newsgroups only ... > > > > > > > > ><anonymous@discussions.microsoft.com> wrote in message > > >news:ebd401c3f100$5d710d90$a001280a@phx.gbl... > > >> IF you do a > > >> > > >> OPTIONS / HTTP/1.1 > > >> > > >> you will still see TRACK as an option. THis is what is > > >> causing security checkers to fail. Is there a way to > > get > > >> this response removed? > > >> > > >> >-----Original Message----- > > >> >Are the responses 200 or 404? > > >> >Are you using a RejectResponseUrl that points to > > content? > > >> > > > >> >-- > > >> >//David > > >> >IIS > > >> >This posting is provided "AS IS" with no warranties, > > and > > >> confers no rights. > > >> >// > > >> >"Rob" <anonymous@discussions.microsoft.com> wrote in > > >> message > > >> >news:e61f01c3f030$dfc98bd0$a601280a@phx.gbl... > > >> >I have installed URLScan and i am still get a respond > > on > > >> >my web site to trace and track commands. I thought > > >> >URLScan 2.5 woul take care of it. I have the > > AllowVerbs > > >> >set to 1 and then the very TRACE and track are not in > > >> >that section. > > >> > > > >> >Any ideas? > > >> > > > >> > > > >> >. > > >> > > > > > > > > > >. > > > > >
- Next message: Bernard: "Re: IIS 5 - Timeout Setting questions and problem"
- Previous message: Bernard: "Re: SSL Certificate"
- In reply to: Wade A. Hilmo [MS]: "Re: Disable trace and track verbs"
- Next in thread: David Wang [Msft]: "Re: Disable trace and track verbs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
