Skip navigation
Menu
Security

IIS Informant: Enabling ASP After IIS Lockdown

Downloads
25225.zip

I recently applied the URLScan filter. Now my Active Server Pages (ASP) scripts no longer function, even though I allowed the .asp extension in the urlscan.ini file. What else do I need to do to make ASP work?

The IIS Lockdown tool includes two programs: the IIS Lockdown program and the URLScan Internet Server API (ISAPI) filter, both of which can restrict the use of ASP scripts. As an ISAPI filter, URLScan can intercept requests from clients that want to run an ASP script and stop the requests from reaching the server. URLScan filters out requests for ASP scripts if you select the Static Web server template when you run the IIS Lockdown tool, as Figure 1 shows, or if you disable ASP when viewing the template settings.

As you mentioned, you can configure the urlscan.ini file in systemdrive:\winnt\system32\inetsrv\ulrscan to correct the URLScan portion of the problem. In the \[DenyExtensions\] section of the file (which will look like the code that Listing 1, page 6, shows if you chose the Static Web server template), remove the .asp, .cer, .cdx, and .asa extensions. Then, save the modified file and restart IIS. URLScan will no longer intercept requests for ASP scripts.

When you choose the Static Web server template, the IIS Lockdown tool maps the .asp extension to 404.dll, which returns a File not found error. To correct the IIS Lockdown portion of the problem and reenable ASP functionality, you must remove the mapping to 404.dll and replace it with a map to systemdrive:\winnt\system32\inetsrv\asp.dll.

As an alternative to editing urlscan.ini and application mapping, you can rerun the IIS Lockdown tool to return your IIS configuration to its prelockdown state. Then, you can run the Lockdown tool again and select the Dynamic Web server (ASP enabled) template to properly enable ASP. However, you'll lose any changes you've made to the IIS configuration in Internet Services Manager (ISM) 5.0 or Internet Service Manager (ISM) 4.0 since you ran the Lockdown tool the first time. For more information about URLScan, see Randy Franklin Smith, "Protect Your IIS Server with URLScan," page 6.

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024
cleaning products
6 Essential Steps for Spring Cleaning Your Website
Mar 21, 2024