How To Configure URLScan to Allow Requests with a Null Extension in IIS
This article was previously published under Q312376
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
This step-by-step article describes how to configure URLScan to allow null extension requests with Internet Information Services (IIS).
back to the top
IntroductionURLScan is an Internet Server Application Programming Interface (ISAPI) filter that screens and monitors HTTP requests for IIS. URLScan is used to reduce the exposure of IIS 4.0, IIS 5.0, and IIS 5.1 to potential Internet attacks.
URLScan protects a Web server from attacks by filtering and rejecting HTTP requests for selected IIS service applications. The default Urlscan.ini file is configured to accept only static HTML files, including graphic files, and to reject the following types of requests:
- Common Gateway Interface (CGI) .exe pages
- World Wide Web Distributed Authoring and Versioning (WebDAV)
- FrontPage Server Extensions
- Index Server
- Internet printing
- Server-side includes
back to the top
Modify the Default URLScan Configuration FileTo configure URLScan when it is installed on the IIS Web server, follow these steps:
- Download the IIS Lockdown tool from the following Microsoft Web site and then save it to a local directory:
- Unzip the IISlock.exe file and then unzip the Urlscan.exe file. The Urlscan folder is created.
- Paste the Urlscan folder in the %Windir%\System32\Inetsrv directory. Double-click the Urlscan folder under Inetsrv, and then open Urlscan.ini in Notepad.
- In the Urlscan.ini file, be sure to enable UseAllowExtensions,as follows:
[Option]UseAllowExtensions=1; if 1, use [AllowExtensions] section, else
- Urlscan allows you to specify a null extension in the [AllowExtensions] section. To do this, add a period (.) in the [AllowExtensions] section, as follows:
[AllowExtensions].;; Extensions listed here are commonly used on a typical IIS server.;; Note that these entries are effective if "UseAllowExtensions=1"; is set in the [Option] section above.;.asp.htm.html.txt.jpg.jpeg.gif
- On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager, or open the custom Microsoft Management Console (MMC) that contains the IIS snap-in.
- In the IIS MMC, expand the server computer name. Right-click the computer name and then click Properties. Click WWW Service and then click Edit.
- On the ISAPI filters tab, click Add. Type urlscan as the file name. In the Executable text box, click Browse, and then select urlscan.dll from the %Windir%\System32\Inetsrv\Urlscan directory.
- At an MS-DOS command prompt, run Net stop iisadmin, and then run Net start W3SVC to restart IIS Web services. Verify that Urlscan.dll is running without problems, and then move the Urlscan.dll ISAPI filter to the top position in the filter list.
For additional information about how to install and configure the URLSCAN utility, click the article number below to view the article in the Microsoft Knowledge Base:
307608 INFO: Availability of URLScan Security Toolback to the top
Article ID: 312376 - Last Review: 02/27/2014 21:10:45 - Revision: 5.1
Microsoft Internet Information Server 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services version 5.1
- kbnosurvey kbarchive kbhowtomaster KB312376