IIS 7.0/IIS6.0 - URLSCAN 3.1 and Outlook Web Access

I was working with one of the customer on Urlscan and their requirement was to install Urlscan on Windows Server 2003 64-bit to hide Server's identity. Basically in Urlscan.ini, we can configure "RemoveServerHeader=1" to server's identity from HTTP Header.

As Urlscan 2.5 has urlscan.dll in 32-bit, we weren't able to get it work on Windows 2003 64-bit and the only option was to switch IIS worker process to run in 32-bit mode (Enable32bitAppOnWin64). But they wanted to run it in 64-bit. So we downloaded latest Urlscan 3.1 64-bit and installed it on Windows Server 2003 64-bit.

Download URLSCAN 3.1 from following locations:
Download the x86 version from Microsoft Download Center here.
Download the x64 version from Microsoft Download Center here.

Once you download desired URLSCAN, you can double click .msi to to install Urlscan and here is how it looks:

image

image

image

By Default Urlscan keeps all the files in "%systemroot%\system32\inetsrv\urlscan" folder on Windows 2003/2008/Vista. We successfully installed Urlscan 3.1 64-bit on Windows Server 2003 64-bit and found that urlscan.dll ISAPI filter is loaded (shows up green arrow) in Default Web Site>ISAPI Filters Tab in IIS 6 Manager.

Note: If you install Urlscan 2.5 which is 32-bit on 64-bit machine, it copies all the file to "%systemroot%\SysWOW64\inetsrv\urlscan" folder.

Customer had Exchange 2007 installed with OWA configured. When OWA users tried to access the OWA site, they got a Blank page, little strange. So we looked at Urlscan logs, we found that the OWA URL was rejected by urlscan. The reason for rejection "AllowDotInPath" was not permitted [set to 0 (Zero)]. After changing "AllowDotInPath=1" in Urlscan.ini, all OWA users were able to successfully browse/login to OWA site.

Here is a MS KB 823175 which talks about sample Urlscan.ini template file for OWA. Anytime you configure Urlscan and if it does not work, simply look at urlscan log file and check reason for URL rejection.


Later I installed Urlscan 3.1 on my 64-bit Vista machine running IIS 7.0. You can see Urlscan 3.1 ISAPI filter gets installed in ISAPI filters lists.

 image

Without any re-configuration in Urlscan.ini file, I simply tried browsing a HTML page and here is what I got:

image 

By Default, anything which is NOT in allow section, will get rejected and normally show "404 Error" on the page.

You can check URLSCAN logs to see what is the cause of rejection. The log resides in "%system%\system32\inetsrv\urlscan\logs" folder.
Look for recent file e.g. - urlscan.121708.log.

Here is a example of rejected URL by URLSCAN 3.1.

#Software: Microsoft UrlScan 3.1
#Version: 1.0
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
2008-12-17 05:05:38 ::1 2 GET /default.aspx/SampleNamespaceOne/Welcome.html Rejected URL+contains+dot+in+path URL - -


Related Content
Common UrlScan Scenarios
Using UrlScan
UrlScan Setup
UrlScan FAQ


Check out blogs on UrlScan v3.1 by Wade
SQL Injection attack

No Comments