DOC: URLScan AllowDotInPath Documentation Contains an Error

View products that this article applies to.

This article was previously published under Q311116

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

For more information about IIS 7.0, visit the following Microsoft Web site:

http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)

Expand all | Collapse all

SUMMARY

The "URLScan" section of the IIS Lockdown Tool 2.0 documentation contains an explanation of the AllowDotInPath setting that is incorrect.

The AllowDotInPath documentation contains the following text, which is incorrect:

AllowDotInPath: Allowed values are 0 or 1. Default is 0. If set to 1, UrlScan rejects any requests containing multiple instances of the dot (.) character. If set to 0, UrlScan does not perform this test.

The documentation should read:

AllowDotInPath: Allowed values are 0 or 1. Default is 0. If set to 0, UrlScan rejects any requests containing multiple instances of the dot (.) character. If set to 1, UrlScan does not perform this test.

MORE INFORMATION

Version 1.0 of the URLScan ISAPI filter contains a problem that causes FrontPage Server Extension requests to be rejected. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

307976 (http://support.microsoft.com/kb/307976/EN-US/ ) FP: Error When Using FrontPage With URLScan

Note that the resolution contained in this Knowledge Base article only applies to version 1.0 of the URLScan ISAPI filter and is not required in the latest version.