Re: About http method trace track options in IIS4

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 10/08/04 

Date: Fri, 8 Oct 2004 22:08:10 +0800

AFAIK£¬you can't. 

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
<io.com> wrote in message news:#7tGdrRrEHA.592@TK2MSFTNGP11.phx.gbl...
> Ok thansk but i would try first without urlscan.
> How i disabel this metod with Metabase Editor ? Which parameters i must
> modify for do it ?
>
>
> thanks
>
> "Steve S." <SteveS> wrote in message
> news:eoFBZsKrEHA.516@TK2MSFTNGP09.phx.gbl...
> >I doubt URLScan will have any noticable affect on the performance of your
> > machine.  If I were you I'd first try installing URLScan to see if
there's
> > any slowdown at all before I'd try hacking the metabase!  I've used the
> > MetaEdit 2.2 a lot.  I've even exported metabase subtrees, hacked the
> > resultant text files, and imported them elsewhere, and I certainly don't
> > know how to do what you're asking.
> >
> > BTW, my company just installed URLScan to disable TRACK and TRACE.
Below
> > is
> > a minimal urlscan.ini file to do the trick (you also might comment out
the
> > "translate:" header because it sometimes causes lots of urlscan logging
> > you
> > don't want):
> >
> > =====================
> > [options]
> >
> > UseAllowVerbs=0                ; If 1, use [AllowVerbs] section, else
use
> > the
> >                               ; [DenyVerbs] section.
> >
> > UseAllowExtensions=0           ; If 1, use [AllowExtensions] section,
else
> > use
> >                               ; the [DenyExtensions] section.
> >
> > NormalizeUrlBeforeScan=1       ; If 1, canonicalize URL before
processing.
> >
> > VerifyNormalization=1          ; If 1, canonicalize URL twice and reject
> > request
> >                               ; if a change occurs.
> >
> > AllowHighBitCharacters=0       ; If 1, allow high bit (ie. UTF8 or MBCS)
> >                               ; characters in URL.
> >
> > AllowDotInPath=1               ; If 1, allow dots that are not file
> > extensions.
> >
> > RemoveServerHeader=0           ; If 1, remove the 'Server' header from
> > response.
> >
> > EnableLogging=1                ; If 1, log UrlScan activity.
> >
> > PerProcessLogging=0            ; If 1, the UrlScan.log filename will
> > contain
> > a PID
> >                               ; (ie. UrlScan.123.log).
> >
> > AllowLateScanning=0            ; If 1, then UrlScan will load as a low
> > priority
> >                               ; filter.
> >
> > PerDayLogging=1                ; If 1, UrlScan will produce a new log
each
> > day with
> >                               ; activity in the form
'UrlScan.010101.log'.
> >
> > UseFastPathReject=0            ; If 1, then UrlScan will not use the
> >                               ; RejectResponseUrl or allow IIS to log
the
> > request.
> >
> > LogLongUrls=0                  ; If 1, then up to 128K per request can
be
> > logged.
> >                               ; If 0, then only 1k is allowed.
> >
> > ;
> > ; If UseFastPathReject is 0, then UrlScan will send
> > ; rejected requests to the URL specified by RejectResponseUrl.
> > ; If not specified, '/<Rejected-by-UrlScan>' will be used.
> > ;
> >
> > RejectResponseUrl=
> >
> > ;
> > ; LoggingDirectory can be used to specify the directory where the
> > ; log file will be created.  This value should be the absolute path
> > ; (ie. c:\some\path).  If not specified, then UrlScan will create
> > ; the log in the same directory where the UrlScan.dll file is located.
> > ;
> >
> > LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs
> >
> > ;
> > ; If RemoveServerHeader is 0, then AlternateServerName can be
> > ; used to specify a replacement for IIS's built in 'Server' header
> > ;
> >
> > AlternateServerName=
> >
> > [RequestLimits]
> >
> > ;
> > ; The entries in this section impose limits on the length
> > ; of allowed parts of requests reaching the server.
> > ;
> > ; It is possible to impose a limit on the length of the
> > ; value of a specific request header by prepending "Max-" to the
> > ; name of the header.  For example, the following entry would
> > ; impose a limit of 100 bytes to the value of the
> > ; 'Content-Type' header:
> > ;
> > ;   Max-Content-Type=100
> > ;
> > ; To list a header and not specify a maximum value, use 0
> > ; (ie. 'Max-User-Agent=0').  Also, any headers not listed
> > ; in this section will not be checked for length limits.
> > ;
> > ; There are 3 special case limits:
> > ;
> > ;   - MaxAllowedContentLength specifies the maximum allowed
> > ;     numeric value of the Content-Length request header.  For
> > ;     example, setting this to 1000 would cause any request
> > ;     with a content length that exceeds 1000 to be rejected.
> > ;     The default is 30000000.
> > ;
> > ;   - MaxUrl specifies the maximum length of the request URL,
> > ;     not including the query string. The default is 260 (which
> > ;     is equivalent to MAX_PATH).
> > ;
> > ;   - MaxQueryString specifies the maximum length of the query
> > ;     string.  The default is 2048.
> > ;
> >
> > MaxAllowedContentLength=30000000
> > MaxUrl=260
> > MaxQueryString=2048
> >
> > [AllowVerbs]
> >
> > ;
> > ; The verbs (aka HTTP methods) listed here are those commonly
> > ; processed by a typical IIS server.
> > ;
> > ; Note that these entries are effective if "UseAllowVerbs=1"
> > ; is set in the [Options] section above.
> > ;
> >
> > GET
> > HEAD
> > POST
> >
> > [DenyVerbs]
> >
> > ;
> > ; The verbs (aka HTTP methods) listed here are used for publishing
> > ; content to an IIS server via WebDAV.
> > ;
> > ; Note that these entries are effective if "UseAllowVerbs=0"
> > ; is set in the [Options] section above.
> > ;
> >
> > ;PROPFIND
> > ;PROPPATCH
> > ;MKCOL
> > ;DELETE
> > ;PUT
> > ;COPY
> > ;MOVE
> > ;LOCK
> > ;UNLOCK
> > ;OPTIONS
> > ;SEARCH
> > TRACE
> > TRACK
> >
> > [DenyHeaders]
> >
> > ;
> > ; The following request headers alter processing of a
> > ; request by causing the server to process the request
> > ; as if it were intended to be a WebDAV request, instead
> > ; of a request to retrieve a resource.
> > ;
> >
> > Translate:
> > If:
> > Lock-Token:
> > Transfer-Encoding:
> >
> > [AllowExtensions]
> >
> > ;
> > ; Extensions listed here are commonly used on a typical IIS server.
> > ;
> > ; Note that these entries are effective if "UseAllowExtensions=1"
> > ; is set in the [Options] section above.
> > ;
> >
> > .htm
> > .html
> > .txt
> > .jpg
> > .jpeg
> > .gif
> >
> > [DenyExtensions]
> >
> > ;
> > ; Extensions listed here either run code directly on the server,
> > ; are processed as scripts, or are static files that are
> > ; generally not intended to be served out.
> > ;
> > ; Note that these entries are effective if "UseAllowExtensions=0"
> > ; is set in the [Options] section above.
> > ;
> > ; Also note that ASP scripts are denied with the below
> > ; settings.  If you wish to enable ASP, remove the
> > ; following extensions from this list:
> > ;    .asp
> > ;    .cer
> > ;    .cdx
> > ;    .asa
> > ;
> >
> > ; Deny ASP requests
> > ; .asp
> > ; .cer
> > ; .cdx
> > ; .asa
> >
> > ; Deny executables that could run on the server
> > ; .exe
> > ; .bat
> > ; .cmd
> > ; .com
> >
> > ; Deny infrequently used scripts
> > ; .htw     ; Maps to webhits.dll, part of Index Server
> > ; .ida     ; Maps to idq.dll, part of Index Server
> > ; .idq     ; Maps to idq.dll, part of Index Server
> > ; .htr     ; Maps to ism.dll, a legacy administrative tool
> > ; .idc     ; Maps to httpodbc.dll, a legacy database access tool
> > ; .shtm    ; Maps to ssinc.dll, for Server Side Includes
> > ; .shtml   ; Maps to ssinc.dll, for Server Side Includes
> > ; .stm     ; Maps to ssinc.dll, for Server Side Includes
> > ; .printer ; Maps to msw3prt.dll, for Internet Printing Services
> >
> > ; Deny various static files
> > ; .ini     ; Configuration files
> > ; .log     ; Log files
> > ; .pol     ; Policy files
> > ; .dat     ; Configuration files
> >
> > [DenyUrlSequences]
> > ; ..  ; Don't allow directory traversals
> > ; ./  ; Don't allow trailing dot on a directory name
> > ; \   ; Don't allow backslashes in URL
> > ; :   ; Don't allow alternate stream access
> > ; %   ; Don't allow escaping after normalization
> > ; &   ; Don't allow multiple CGI processes to run on a single request
> >
> >
>
>

Relevant Pages

  • Re: About http method trace track options in IIS4
    ... I doubt URLScan will have any noticable affect on the performance of your ... "translate:" header because it sometimes causes lots of urlscan logging you ... request. ... of allowed parts of requests reaching the server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: URLScan Rejects header "transfer-encoding:"
    ... URLScan may block this type of request. ... "I really did not want to reconfigure the URLScan just to accomodate a JDK ... cause vulnerabilities on your server. ... configuration as you see fit and we provide the information to do this. ...
    (microsoft.public.inetserver.iis.security)
  • [TOOL] URLScan, Automatic Request Sanitization Tool from Microsoft
    ... URLScan, Automatic Request Sanitization Tool from Microsoft ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... URLScan protects the server while it's in operation. ...
    (Securiteam)
  • Re: About http method trace track options in IIS4
    ... Ok thansk but i would try first without urlscan. ... How i disabel this metod with Metabase Editor? ... > request. ... of allowed parts of requests reaching the server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: urlscan + OWA spell checker
    ... I do not need to use urlscan so I will remove it. ... >> Request will be rejected. ... reject any request where these request headers are present. ... Deny executable files that might run on the server. ...
    (microsoft.public.exchange.admin)