Help and Support

How to configure URLScan to protect ASP.NET Web applications

View products that this article applies to.
Article ID:815155
Last Review:May 5, 2006
Revision:5.1
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

Back to the top

IN THIS TASK

SUMMARY
Configure URLScan
REFERENCES
On This Page

SUMMARY

This step-by-step article describes how to configure the URLScan security tool to protect ASP.NET Web applications.

URLScan is an Internet Server API (ISAPI) filter that screens and monitors HTTP requests for Internet Information Server 4.0, Internet Information Services 5.0, and Internet Information Services 5.1 (IIS). URLScan is used to reduce the exposure of IIS to potential Internet attacks.

By default, URLScan does not make special accommodations for file name extensions that ASP.NET Web applications use. You can change the URLScan configuration to add an extra layer of security for these applications. You must disable or enable different file name extensions for application level tracing, XML Web services, and remoting.

back to the top

Back to the top

Configure URLScan

To configure URLScan to enable standard ASP.NET file name extensions that users may requested, follow these steps:
1.Install the URLScan tool. For information and instructions, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/tools/urlscan.mspx (http://www.microsoft.com/technet/security/tools/urlscan.mspx)
2.Open the Urlscan.ini file in a text editor (such as Notepad). This file is located in the \System Root\System32\Inetsrv\Urlscan\ folder.
3.In the [AllowExtensions] section, add the following file name extensions:
.ashx
.aspx
4.In the [DenyExtensions] section, add the following file name extensions:
.asax
.ascx
.config
.cs
.csproj
.dll
.licx
.pdb
.resx
.resources
.vb
.vbproj
.vsdisco
.webinfo
.xsd
.xsx
5.To turn on application level tracing, add the .axd file name extension to the [AllowExtensions] section. If you do not want to turn on application level tracing, add .axd to the [DenyExtensions] section.
6.To allow Web services, add the .asmx file name extension to the [AllowExtensions] section. If you do not want to allow Web services, add .asmx to the [DenyExtensions] section.
7.To turn on remoting, add the .rem file name extension and the .soap file name extension to the [AllowExtensions] section. If you do not want to turn on remoting, add .rem and .soap to the [DenyExtensions] section.
8.Save and then close the Urlscan.ini file. You must restart IIS for the changes to take effect.
Note These steps are designed to offer optimal protection, regardless of whether the UseAllowVerbs setting is turned on in URLScan.

back to the top

Back to the top

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736 (http://support.microsoft.com/kb/315736/) How to secure an ASP.NET application by using Windows Security
315588 (http://support.microsoft.com/kb/315588/) How to secure an ASP.NET application using client-side certificates
818014 (http://support.microsoft.com/kb/818014/) How to secure applications that are built on the .NET Framework
back to the top

Back to the top

APPLIES TO
Microsoft ASP.NET 1.0
Microsoft Internet Information Services 5.1
Microsoft Internet Information Services 5.0
Microsoft Internet Information Server 4.0
Microsoft ASP.NET 1.1

Back to the top

Keywords: 
kbhowtomaster kbscan kbweb kbsecurity kbconfig KB815155

Back to the top

Article Translations

 

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.