Re: How to disable HTTP trace in IIS 5

Yes, you can do that.

I don't believe that IIS 5.0 has any inbuilt ability to "disable" any HTTP verbs (except for ISAPI extensions, where you can choose which verbs are permitted). URLScan is a high priority ISAPI filter, so it can load before anything else, and you can block TRACE verb there.

You can, if you want, remove all other entries, and that will only block trace. Please read the instructions in the KB article posted first though!

Cheers
Ken


"yklee" <yklee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:814DDBEF-7438-4F4C-B8F2-331BBEFE838D@xxxxxxxxxxxxxxxx
currently i do not use urlscan on my web server. can i just use the urlscan
to deny the trace verb without denying what's running in my web server? can i
do that by removing the entries that i don't need in the urlscan.ini?

"Ken Schaefer" wrote:

You can use URLScan to block HTTP Trace verb

http://support.microsoft.com/?id=326444
How to configure the URLScan Tool

If you just want to deny trace verb, then in the [DenyVerbs] section add
"Trace". Alternatively if you want to use [AllowVerbs] then you need to add
every verb you want to allow (e.g GET, POST, HEAD) and you don't need to do
anything else (since everything else is denied by default)

Cheers
Ken

"yklee" <yklee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:62E598D1-44E3-4CF1-B33A-D789D3A9C47C@xxxxxxxxxxxxxxxx
> i'm not familiar with iis or http and its jargon. my iis5 server > (windows
> 2000 sp4) is currently hosting our website & owa. it is a requirement > to
> ensure that the http trace is disabled on the server. i have try but > still
> could not understand what or how to configure the urlscan.ini to just
> disable
> the http trace, without affecting any other things. i know in ii6
> (windows
> 2003), i can do that through the registry. is there any reference > document
> or
> anyone that can enlighten or guide me on how to go about it in iis5
> (windows
> 2000 sp4).



.

Relevant Pages

  • Re: TRACE Request: how to disable in IIS5
    ... Trace is a HTTP verb (like get and post and etc. ... together from a http request. ... all Web servers have TRACE ...
    (microsoft.public.inetserver.iis.security)
  • Re: http TRACE option
    ... Here's the HTTP TRACE discussion from the 2nd edition of my book ... If the TRACE method is supported and the web server is running a poorly written application that is vulnerable to cross-site scripting, a cross-site tracing attack can be launched to compromise user cookie and session information. ... If the web server is running a static site with no server-side application or processing of user data, the impact of TRACE support is significantly reduced. ... XST is an attack class developed by Jeremiah Grossman in 2003 that allows authentication details presented in HTTP headers to be compromised using a combination of XSS, client-side weaknesses, and support for the HTTP TRACE method server-side. ...
    (Pen-Test)
  • Re: Authentication from ASP.NET to NT4 IIS hangs then timesout
    ... I got what I think amounted to a HTTP GET to work by using the DownloadData ... method whereas the UploadValues method with the POST verb just hung. ... The target NT4 IIS server allows basic and windows ... >> I just hit enter without entering anything at the authentication prompt. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • mod_rewrite and disabling HTTP TRACE - no worky
    ... Does Apache 2.0.54 have mod_rewrite non-compiled in, ... TRACE already disabled? ... No virutual server config'd, but I still wanted to disable the HTTP ...
    (comp.infosystems.www.servers.unix)
  • Re: Disable TRACE??
    ... stupid security people moan about some HTTP TRACE... ... particular ISAPI mappings. ... For IIS 5.0, open the Internet Services Manager and select Properties on the ...
    (microsoft.public.inetserver.iis)