Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment

• Previous message: TC: "Re: IIS, ASP.Net Development and Norton Internet Security 2005"
• In reply to: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Next in thread: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Reply: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 5 Dec 2004 08:50:43 +0100

Microsoft is quite specific when it comes to + sign:

**************************************
; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with
URLScan installed may need to modify the "VerifyNormalization=1"
; option in this template to be "VerifyNormalization=0" if they encounter a
"404" error when attempting to open messages or items that contain
; the "+" symbol in the subject or name.
**************************************

Mike

"Richard" <Richard@discussions.microsoft.com> wrote in message
news:8AEA87B4-AF44-4544-9861-D21808B7015A@microsoft.com...
> Thanks Mike.
>
> I have looked at all forums and MS articles articles before I posted this
> msg about 'if its safe to turn off normalization in SSL environments'.
>
> There is no way I can turn off "+" in 'denyurlsequences' without Turning
> off
> normalizebeforeurlscan. its because urlscan looks at 'denyurlsequences'
> AFTER
> it normalizes. So i want some input to see if I can turn off normalization
> particularly in SSL environments where its comparatively safer and no
> attacker logins without SSL authentication.
>
> The article you mentioned has only 'allowverbs' section of urlscan.ini for
> exchange owa.
>
> I tried all the templates that has 'denyurlsequences' looks like:
> [DenyUrlSequences]
> .. ; Do not permit directory traversals.
> ./ ; Do not permit trailing dot on a directory name.
> \ ; Do not permit backslashes in URL.
> % ; Do not permit escaping after normalization.
> & ; Do not permit multiple Common Gateway Interface processes to run on
> a
> single request.
>
> BUT believe this doesNOT help me ALLOW "+" characters so long
> normalization
> turned off.
>
> It seems there is no solution to unblock + character. :-(
>
> "Miha Pihler" wrote:
>
>> Hi Richard,
>>
>> Microsoft has few articles on applying URLScan to Exchange server that
>> should help you out.
>>
>> Fine-tuning and known issues when you use the Urlscan utility in an
>> Exchange
>> 2003 environment
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823175 (this
>> article
>> includes sample of URLScan.ini file that works with OWA)
>>
>> The URLScan tool may cause problems in Outlook Web Access
>> http://support.microsoft.com/kb/325965
>>
>> I hope this helps,
>>
>> Mike
>>
>> "Richard" <Richard@discussions.microsoft.com> wrote in message
>> news:606EA1D8-69D7-4414-B2BF-145F38F6FF8B@microsoft.com...
>> > Our OWA front end servers that are in DMZ have Verisign certificates
>> > and
>> > users login using only SSL authentication.
>> >
>> > In this situation can we safely have normalizeUrlBeforeScan=0 since no
>> > other
>> > attacker could login to OWA server to view the URL of our
>> > domain/directories.
>> > Ofcourse one within organization can be an attacker, but with IP
>> > address
>> > we
>> > can catch him.
>> >
>> > I'm new to this URLscan concept and all I need is unblock + so users
>> > can
>> > read emails with + in subject field.
>> >
>> > I've been trying to resolve this for couple of days and so far I yet to
>> > receive some help.
>> >
>> > Thanks for your input in advance.
>>
>>
>>

• Previous message: TC: "Re: IIS, ASP.Net Development and Norton Internet Security 2005"
• In reply to: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Next in thread: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Reply: Richard: "Re: NormalizeUrlBeforeScan = 0 - Impact in SSL environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]