This article was previously published under Q312376
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
URLScan is an Internet Server Application Programming Interface (ISAPI) filter that screens and monitors HTTP requests for IIS. URLScan is used to reduce the exposure of IIS 4.0, IIS 5.0, and IIS 5.1 to potential Internet attacks.
URLScan protects a Web server from attacks by filtering and rejecting HTTP requests for selected IIS service applications. The default Urlscan.ini file is configured to accept only static HTML files, including graphic files, and to reject the following types of requests:
Common Gateway Interface (CGI) .exe pages
World Wide Web Distributed Authoring and Versioning (WebDAV)
FrontPage Server Extensions
If you have URLScan with version number 6.0.3574.0, you can configure URLScan to allow incoming URL requests with the null extension.
Unzip the IISlock.exe file and then unzip the Urlscan.exe file. The Urlscan folder is created.
Paste the Urlscan folder in the %Windir%\System32\Inetsrv directory. Double-click the Urlscan folder under Inetsrv, and then open Urlscan.ini in Notepad.
In the Urlscan.ini file, be sure to enable UseAllowExtensions,as follows:
[Option]UseAllowExtensions=1; if 1, use [AllowExtensions] section, else
Urlscan allows you to specify a null extension in the [AllowExtensions] section. To do this, add a period (.) in the [AllowExtensions] section, as follows:
[AllowExtensions].;; Extensions listed here are commonly used on a typical IIS server.;; Note that these entries are effective if "UseAllowExtensions=1"; is set in the [Option] section above.;.asp.htm.html.txt.jpg.jpeg.gif
On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager, or open the custom Microsoft Management Console (MMC) that contains the IIS snap-in.
In the IIS MMC, expand the server computer name. Right-click the computer name and then click Properties. Click WWW Service and then click Edit.
On the ISAPI filters tab, click Add. Type urlscan as the file name. In the Executable text box, click Browse, and then select urlscan.dll from the %Windir%\System32\Inetsrv\Urlscan directory.
At an MS-DOS command prompt, run Net stop iisadmin, and then run Net start W3SVC to restart IIS Web services. Verify that Urlscan.dll is running without problems, and then move the Urlscan.dll ISAPI filter to the top position in the filter list.