Article ID: 944836 - Last Review: November 21, 2007 - Revision: 1.2

Information about the UrlScan 2.5 features that are included in IIS 7.0

View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

On This Page

Expand all | Collapse all

INTRODUCTION

UrlScan 2.5 is an Internet Server API (ISAPI) filter that was developed to help administrators secure Web sites that are hosted on Internet Information Services (IIS) 5.0. Because improving security was a top priority, the features in UrlScan 2.5 were built into IIS 6.0. Improved security was also a priority in IIS 7.0. Therefore, the features of UrlScan 2.5 are also included in IIS 7.0.

This article contains descriptions of the UrlScan 2.5 features that are implemented in IIS 7.0. This article also contains a table that maps the features in UrlScan 2.5 to the settings in the Http.sys driver and to the settings in the Request Filtering feature in IIS 7.0.
Back to the top

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Back to the top

UrlScan 2.5 features that are implemented in IIS 7.0

The following table contains the names and descriptions of the UrlScan 2.5 features that are implemented in IIS 7.0.
Collapse this tableExpand this table
UrlScan 2.5 featureDescription
DenyExtensionsThis feature was implemented in UrlScan to limit the attack surface of the server by preventing specific requests from running ISAPI or Common Gateway Interface (CGI) code on the server. UrlScan prevents such requests from running based on file name extensions.
DenyVerbsWebDAV code can be invoked on a Web server by using particular HTTP verbs. This feature was implemented in UrlScan to limit the attack surface of the server by preventing requests that would invoke WebDAV.
DenyHeadersWebDAV code can be invoked on a Web server based on the presence of particular HTTP headers. This feature was implemented in UrlScan to limit the attack surface of the server by preventing requests that would invoke WebDAV.
NormalizeUrlBeforeScanThis feature lets administrators specify whether IIS will process the raw URL that is sent by the client or whether IIS will process the canonicalized URL that is processed on the server.
VerifyNormalizationThis feature lets UrlScan detect double escape sequences.
DenyUrlSequencesThis feature was implemented in UrlScan to detect sequences that are used in URL-based attacks on a Web server.
AllowDotInPathSetting AllowDotInPath to 0 will cause UrlScan to reject any request in which the extension is ambiguous because of a dot-in-path condition.
RemoveServerHeaderThis feature lets UrlScan remove the identity of the server from or alter the identity of the server in the "Server" response header in the response to the client.
EnableLogging, PerProcessLogging, and PerDayLoggingThese settings control aspects of how UrlScan produces and names its log files.
AllowLateScanningThis feature lets administrators specify whether UrlScan examines URLs before or after other filters. There are several filters that modify URLs, and it may be desirable for UrlScan to examine the URL after it has been modified. The FrontPage Server Extensions filter is an example of such a filter.
RejectResponseUrlThis feature works with UseFastPathReject. If UseFastPathReject is set to 0, any rejected requests will be remapped to the URL that is specified by RejectResponseUrl. If the specified URL does not exist, the client will receive a typical 404 response as if the client had requested a nonexistent page. If the specified URL does exist, the server can customize the response that is sent to the client.
UseFastPathRejectThe UrlScan lockdown mechanism depends on a filter notification that occurs very early in the processing of a request. Therefore, if UrlScan rejects the request directly from this notification, the typical 404 response cannot be generated. Instead, the client receives a terse 404 response instead of the rich custom error that typically occurs. If UseFastPathReject is set to 0, UrlScan remaps the request to the URL that is specified by RejectResponseUrl.
AllowHighBitCharactersThis feature lets UrlScan detect non-ASCII characters in URLs.
MaxAllowedContentLengthThis feature lets UrlScan put limits on the size of requests that are posted to the server.
MaxUrl, MaxQueryString, and MaxHeaderThese settings let UrlScan limit the size of URLs, of query strings, and of specific headers that are sent to the server.
Back to the top

Implementation of UrlScan 2.5 features in IIS 7.0

The following table maps the features in UrlScan 2.5 to the settings in the Http.sys driver and to the settings in the Request Filtering feature in IIS 7.0.

Notes
  • If a feature is marked "Not applicable," IIS 7.0 implements the feature automatically, and no configuration is required.
  • IIS 7.0 configuration files must follow XML standards. Therefore, be careful when you use special characters in an XML file.
Collapse this tableExpand this table
UrlScan 2.5 featureHttp.sys configurationIIS 7.0 Request Filtering configuration section
DenyExtensionsNot applicable<system.webServer/security/requestFiltering/fileExtensions>
DenyVerbsNot applicable<system.webServer/security/requestFiltering/verbs>
DenyHeadersNot applicable<system.webServer/security/requestFiltering/requestLimits/headerLimits>
NormalizeUrlBeforeScanNot applicableThe Request Filtering feature in IIS 7.0 will always examine a normalized URL.
VerifyNormalizationNot applicableSet the allowDoulbeEscaping attribute of <system.webServer/security/requestFiltering >
DenyUrlSequencesNot applicable<system.webServer/security/requestFiltering/denyUrlSequences>
AllowDotInPathNot applicableThis feature is necessary in UrlScan because the filter API does not provide access to the fully parsed extension at the time that the filter needs it. The pipeline API in IIS 7.0 is more capable than the filter API, and the request filter takes advantage of the fact that the fully parsed extension is available. Therefore, the request filter always knows the exact extension and never has to guess. Therefore, this setting is unnecessary.
RemoveServerHeaderNot applicableThis is not included in the IIS 7.0 Request Filtering feature because it does not add any real security benefit.
EnableLogging, PerProcessLogging, and PerDayLoggingNot applicableThe 404 custom error set has been greatly expanded in IIS 7.0, and the full set of Request Filtering sub errors is included. The request filter uses these sub errors to integrate its logging with the w3svc logs.
AllowLateScanningNot applicableThis is not included with IIS 7.0 because it was originally included in UrlScan 2.5 to provide compatibility with specific ISAPI Filters. The Request Filtering module of IIS 7.0 does not plug in as an ISAPI filter. Therefore, this feature does not apply.
RejectResponseUrlNot applicableYou can implement similar functionality in IIS 7.0 by using custom errors.
UseFastPathRejectNot applicableThis feature is not included in IIS 7.0 because it was rarely used in UrlScan. Also, because IIS 7.0 has different performance characteristics than IIS 6.0, it is unclear whether it would ever be needed.
AllowHighBitCharacters*Set the AllowHighBitCharacters attribute of <system.webServer/security/requestFiltering >
MaxAllowedContentLengthNot applicable<system.webServer/security/requestFiltering/requestLimits>
MaxUrl, MaxQueryString, and MaxHeader**<system.webServer/security/requestFiltering/requestLimits>
<system.webServer/security/requestFiltering/requestLimits/headerLimits>
* This value can be changed by modifying the following registry subkey:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\EnableNonUTF8
** The values can be changed by modifying AllowRestrictedChars, MaxFieldLength, UrlSegmentMaxLength, and UrlSegmentMaxCount in the registry under the following registry subkeys:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\AllowRestrictedChars
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxLength
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\UrlSegmentMaxCount
Back to the top

REFERENCES

For more information about how to configure the requestFiltering element in IIS 7.0, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/ms689460.aspx (http://msdn2.microsoft.com/en-us/library/ms689460.aspx)
For more information about the Request Filtering feature in IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net (http://www.iis.net)
For more information about special characters in XML files, click the following article number to view the article in the Microsoft Knowledge Base:
316063  (http://support.microsoft.com/kb/316063/ ) How to locate and replace special characters in an XML file with Visual C# .NET
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 7.0
Back to the top
Keywords: 
kbsecurity kbtshoot kbinfo KB944836
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations