Windows Web Solutions UPDATE, August 26, 2003

Windows Web Solutions UPDATE--August 26, 2003

This Issue Sponsored By

Windows Scripting Solutions


1. Commentary: IIS 6.0 Makes URLScan Almost Obsolete

2. Keeping Up with IIS

- Web Admin

- Results from Last Issue's Instant Poll: Number of Cluster Nodes

- This Issue's Instant Poll: IIS 6.0 Productivity

3. Announcements

- Get the eBook That Will Help You Get Certified!

- Devconnections: 4 Conferences for the Price of 1

4. Resource

- Featured Thread: Secure FTP Site

5. Event

- New--Mobile & Wireless Road Show!

6. New and Improved

- Optimize Your Online Marketing

- Submit Top Product Ideas

7. Contact Us

- See this section for a list of ways to contact us.

==== Sponsor: Windows Scripting Solutions ====

Windows Scripting Solutions for the Systems Administrator

You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at:


==== 1. Commentary: IIS 6.0 Makes URLScan Almost Obsolete ====

by Brett Hill, [email protected]

Security minded IIS administrators are aware of URLScan ( ) as a staple of IIS 5.0 and IIS 4.0 security. This Internet Server API (ISAPI) filter lets you configure your server to quickly reject client requests that don't meet criteria you define in the urlscan.ini file. IIS 6.0 has many significant security improvements, which is one reason I frequently hear the question "Do I need to run URLScan with IIS 6.0?"

The general answer to this question is "probably not." Of course, that's not a very satisfying answer, so let's see if I can help clarify things for your particular circumstances by mapping URLScan features to IIS 6 features.

IIS 5.0 and IIS 4.0 have HTTP parsing systems that aren't quite as strong as they should be. URLScan features such as NormalizeURLBeforeScan, VerifyNormalization, and AllowDotInPath help bolster the IIS 5.0 and IIS 4.0 parsing engines to prevent specific exploits from succeeding. IIS 6.0's http.sys parsing engine is completely rewritten and much tighter about enforcing standards. Consequently, you don't need to use URLScan to secure IIS 6.0 server from double-decode, directory traversal, and other attacks that leverage weaknesses in the IIS 5.0 and IIS 4.0 HTTP parsing engines.

AllowHighBitCharacters is a URLScan setting that prevents or allows URLs that contain UTF8-encoded non-ASCII characters. UTF8 lets you represent characters of many languages in an encoded form such as %2e for a period and %20 for a space. A period and a space are ASCII characters, but UTF8 also can represent non-ASCII characters. Hackers can use this capability to submit content in a URL that can execute in the CPU by means of a buffer overflow. The IIS 6.0 registry subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\EnableNonUTF8 permits or denies UTF8. Thus, you don't need URLScan to control this capability in IIS 6.0. See the Microsoft article "INF: Http.sys Registry Settings for IIS" ( ) for the complete set of registry entries that Microsoft has released for http.sys.

The Allow/Deny Extensions sections of the urlscan.ini file let you specify file extensions to permit or reject. IIS 6.0, using Web Service Extensions, goes one better by denying all executables that aren't specifically allowed by path and filename. For example, using URLScan, even if you want to permit only one .dll file to run, you have to allow all files ending in .dll to run. In IIS 6.0, you can specify that only d:\webcontent\shoppingcart\cart.dll should be able to run. Permitting only specified executables to run is a very strong defense because it means that even if a hacker can get an executable onto the server, it can't be launched from a URL.

The DenyUrlSequences setting in URLScan has no matching component in IIS 6.0. The DenyUrlSequences option lets you reject a URL that contains a sequence of characters that you specify. For example, you can reject any URL that contains "_vti" to prevent attacks on FrontPage directories or "scripts" to prevent attacks on the commonly targeted Scripts folder (which isn't present on IIS 6.0). After you review IIS 6.0's security features, if you find you need to reject specific character sequences, you'll need to use URLScan.

URLScan also provides the only supported method for removing the server banner from IIS servers. Some security-minded folks are passionate about removing the server banner, but fingerprinting an IIS server is easy for anyone who really wants to know its identity. Thus, I wouldn't implement URLScan simply for this capability because the security benefit is minimal.

Deny/Allow Verbs is another feature that's available only in URLScan. This feature permits you to list HTTP verbs that the IIS server should deny or allow. The most common use of this feature is to reject WebDAV requests in IIS 5.0 and IIS 4.0. IIS 6.0 with Web Service Extensions prevents WebDAV by default. Consequently, if all you want to do is disable WebDAV on IIS 6.0, URLScan isn't required. However, I sometimes use URLScan with IIS 6.0 to reject all HTTP verbs that I don't specifically allow. This practice protects the server from standard WebDAV and HTTP verbs such as PUT, from any problems that might arise from changes to HTTP specifications, and from custom applications attempting to use (or abuse) nonstandard verbs.

The "Max" URLScan settings--MaxHeader, MaxURL, MaxAllowedContentLength, and so on--are among the most powerful of the URLScan settings because they restrict the number of characters that can be sent to the Web server in a portion of the client request. Thus, the settings greatly constrain hackers' ability to craft buffer overflow attacks. IIS 6.0's http.sys registry settings let you specify MaxRequestsBytes (the maximum value for all client request headers plus the URL) and MaxFieldLength (the maximum size of any individual client request).

As you can see, URLScan capabilities are for the most part incorporated into IIS 6.0. Thus, you probably don't need URLScan with IIS 6.0 (unless you want to filter out certain URL character sequences or verbs, remove the server banner, or specify different maximum lengths for each element of the HTTP client request header).


==== 2. Keeping Up with IIS ====

Web Admin

As the number of Internet users continues to grow, so does the number of Web-based provisioning tools that let those users perform administrative tasks within a Windows and IIS environment. The Microsoft Web Admin tool is one such application. Web Admin is a sample Web-based provisioning tool that demonstrates the use of Active Server Pages (ASP) and Microsoft Internet Explorer (IE) 4.0 or later to create, modify, and delete users, groups, and organizational units (OUs) from Windows 2000 Active Directory (AD). To find out more about the Web Admin tool, click on the following URL:

Results from Last Issue's Instant Poll: Number of Cluster Nodes

The voting has closed in the Windows & .NET Magazine Windows Web Solutions channel's nonscientific Instant Poll for the question, "How many nodes do you use in your clusters?" Here are the results from the 34 responses:

- 21% 4 or more nodes

- 0% 3 nodes

- 47% 2 nodes

- 32% We don't use clusters.

(Deviations from 100 percent are due to rounding error.)

This Issue's Instant Poll: IIS 6.0 Productivity

The next Instant Poll question is, "Have you noticed a difference in productivity when you switched to IIS 6.0?" Go to the Windows & .NET Magazine Windows Web Solutions home page and submit your vote for a) Yes, I noticed IIS 6.0 is much faster than 5.0, b) No, I believe IIS 5.0 is faster than IIS 6.0, or c) I haven't noticed a difference.

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Get the eBook That Will Help You Get Certified!

The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today!

Devconnections: 4 Conferences for the Price of 1 DevConnections = Microsoft ASP.NET Connections + Visual Studio Connections + SQL Server Magazine Connections + Microsoft Office System Connections. Learn from the Microsoft architects who built these technologies plus world-renowned third-party gurus. Register by August 29 and save $200. Attendees will also have a chance to win a Harley-Davidson motorcycle, so sign up today!

==== 4. Resource ====

Featured Thread: Secure FTP Site

Forum member Kofa wants to know whether Secure Sockets Layer (SSL) in the only way to ensure a secure FTP site. To lend this forum member a helping hand, click the following URL:

==== 5. Event ====

(brought to you by Windows & .NET Magazine)

New--Mobile & Wireless Road Show!

Learn more about the wireless and mobility solutions that are available today! Register now for this free event!

==== 6. New and Improved ====

by Sue Cooper, [email protected]

Optimize Your Online Marketing

WebSideStory released HitBox Enterprise 9.0, a service that provides relevant data collection and analysis and reporting of visitor activity on large, complex Web sites. New features include the ability to overlay key visitor and customer statistics and reports on your Web site; a plug-in to query your HitBox-hosted data directly from Excel; the ability to view key reports and information in the context of a specific job function, such as marketing or e-commerce; and customizable executive dashboards. Contact WebSideStory at 888-844-8269, 858-546-0040, or [email protected]

Submit Top Product Ideas

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]

==== Sponsored Links ====


FREE live trial-Backup & Disaster Recovery software w/ encryption;5945485;8214395;x?


Free Download - NEW NetOp 7.6 - faster, more secure, remote support;5930423;8214395;j?


==== 7. Contact Us ====

About the commentary -- [email protected]

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring UPDATE -- [email protected]


Manage Your Account

You are subscribed as #EmailAddr#.

To unsubscribe from this email newsletter, send an email message to mailto:#mailing:unsubemail#.

To make other changes to your email account such as change your email address, update your profile, and subscribe or unsubscribe to any of our email newsletters, simply log on to our Email Preference Center.

Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.