URLScan 2.5 offers additional configuration options that help you further lock down your servers. You can download URLScan 2.5 at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp. URLScan 2.5's new features include the ability to change the log-file directory, to log long URLs, and to restrict the size of requests. Note that you should install URLScan 2.0 before you install URLScan 2.5.
When you install URLScan 2.5, the tool adds settings to urlscan.ini that correspond to the new features. If you've configured an earlier version of URLScan for your site, URLScan 2.5 doesn't overwrite your current settings when it adds new entries. However, you will want to configure the new default options just as you configured the default options for URLScan 2.0.
When you download URLScan 2.5, you must choose between the baseline variant or the Security Rollup Package (SRP) variant. The difference lies in the values that URLScan 2.5 sets for the new urlscan.ini settings. According to the Microsoft documentation, the main difference between the URLScan-SRP configuration and the Baseline URLScan configuration lies in how each handles chunked-encoding data transfers. By default, URLScan-SRP blocks chunked-encoding transfers. The baseline variant doesn't block these transfers by default. In addition, the URLScan-SRP configuration restricts uploads to the server to 30MB. All other features of the SRP variant are the same as those of the baseline variant.
The SRP variant rejects "chunked" transfers of data because of vulnerabilities in IIS's chunked-encoding mechanism. (You use chunk transfers when you must transfer dynamic content without knowing the content's length in advance.) You won't find a simple way to determine whether your Web site uses chunked encoding short of enabling the feature to reject chunked encoding and fully exercising your Web site.
Note that if you installed the cumulative IIS patch that Microsoft announced in Microsoft Security Bulletin MS02-018 (Cumulative Patch for Internet Information Services) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp, you're already protected against known exploits related to chunked encoding. However, because I always recommend the strictest possible security configuration as protection against yet-to-be discovered vulnerabilities, I recommend installing the SRP variant on a test copy of your Web site and fully exercising your Web site's functionality to make sure you haven't broken any pages or operations. After you perform tests and otherwise verify that your Web site doesn't use chunked encoding, deploy the SRP variant in production. If your Web site uses chunked encoding or if your clients need to upload files larger than 30MB, you must use the baseline variant.
Be aware that for protection against buffer overflows, both the baseline and SRP variants impose a few new restrictions on various sections of incoming requests. I'll review these and all the other settings in an upcoming article's discussion of urlscan.ini.
