This article has been archived. It is offered "as is" and will no longer be updated.
For a Microsoft FrontPage 2002 version of this article, see 318290.
For a Microsoft FrontPage 2000 version of this article, see 309394.
Use this step-by-step guide to install and configure the URLScan utility for Microsoft Internet Information Services (IIS). You can download URLScan from the Microsoft Web site by using the steps in this article. URLScan is designed to help your Web server be more secure.
Download and install the IIS Lockdown Wizard
URLScan is now part of the IIS Lockdown Wizard. For more information about how to install the IIS Lockdown Wizard, click the following article number to view the article in the Microsoft Knowledge Base:
325864 How to install and use the IIS Lockdown Wizard
Modify the default URLScan configuration file
The default configuration for URLScan may interfere with Microsoft FrontPage 2003 or Microsoft SharePoint Designer 2007 functionality. To allow FrontPage or SharePoint Designer to work correctly and yet deny access to sensitive FrontPage or SharePoint Designer files, you have to make changes that this section describes. These steps are only a suggestion. For additional information about settings for URLScan, see the "References" section.
Right-click the Start menu, click Explore, and then locate the following folder (where %windir% is your Windows folder, such as C:\Windows or C:\Winnt):
Right-click the Urlscan.ini file, and then click Copy.
Right-click the folder, and then click Paste.
A copy of the file is created and named Copy of Urlscan.ini.
Double-click the Urlscan.ini file (the file opens in Notepad).
Make the following changes:
In the [options] section, set the following values:
[options] UseAllowVerbs=1 ; use the [AllowVerbs] section UseAllowExtensions=0 ; use the [DenyExtensions] section NormalizeUrlBeforeScan=1 ; canonicalize URL before processing VerifyNormalization=1 ; canonicalize URL twice, reject on change AllowHighBitCharacters=0 ; deny high bit (UTF8 or MBCS) characters AllowDotInPath=0 ; deny dots in path EnableLogging=1 ; log activity PerDayLogging=1 ; change log files daily PerProcessLogging=0 ; do not change log files by process ID RemoveServerHeader=0 ; do not remove"Server" header AlternateServerName= UseFastPathReject=0 ; use RejectResponseUrl or log the request RejectResponseUrl= AllowLateScanning=1 ; allow URLScan to be loaded low priority
In the [AllowVerbs] section, use the following values only. Do not include other values.
[AllowVerbs] GET ; allow GET (most Web requests) HEAD ; allow HEAD requests OPTIONS ; allow OPTIONS (Web Folders need this) POST ; allow POST (FPSE and HTML forms need this)
In the [DenyHeaders] section, use the following values only. Do not include other values.
[DenyHeaders] If: ; deny (used with WebDAV) Lock-Token: ; deny (used with WebDAV)
In the [DenyExtensions] section, set the following values:
[DenyExtensions] .asa ; deny active server application definition files .bat ; deny batch files .btr ; deny FrontPage/SharePoint Designer dependency files .cer ; deny x509 certificate files .cdx ; deny dynamic channel definition files .cmd ; deny batch files .cnf ; deny FrontPage/SharePoint Designer metadata files .com ; deny server command-line applications .dat ; deny data files .evt ; deny Event Viewer logs .exe ; deny server command-line applications .htr ; deny IIS legacy HTML admin tool .htw ; deny Index Server hit-highlighting .ida ; deny Index Server legacy HTML admin tool .idc ; deny IIS legacy database query files .inc ; deny include files .ini ; deny configuration files .ldb ; deny Microsoft Access Record-Locking Information files .log ; deny log files .pol ; deny policy files .printer ; deny Internet Printing Services .sav ; deny backup registry files .shtm ; deny IIS Server Side Includes .shtml ; deny IIS Server Side Includes .stm ; deny IIS Server Side Includes .tmp ; deny temporary files
In the [DenyUrlSequences] section, set the following values:
[DenyUrlSequences] .. ; deny directory traversals ./ ; deny trailing dot on a directory name \ ; deny backslashes in URL : ; deny alternate stream access % ; deny escaping after normalization & ; deny multiple CGI processes to run on a single request /fpdb/ ; deny browse access to FrontPage/SharePoint Designer database files /_private ; deny FrontPage/SharePoint Designer private files (often form results) /_vti_pvt ; deny FrontPage/SharePoint Designer Web configuration files /_vti_cnf ; deny FrontPage/SharePoint Designer metadata files /_vti_txt ; deny FrontPage/SharePoint Designer text catalogs and indices /_vti_log ; deny FrontPage/SharePoint Designer authoring log files
Because these settings do not use the [DenyVerbs] and [AllowExtensions] sections, no settings for these sections are included in this article. For additional information about these sections of the configuration file, click the following article number to view the article in the Microsoft Knowledge Base:
The default priority for the URLScan tool in IIS is high. A high priority may interfere with other Internet Server Application Programming Interface (ISAPI) filters that have to perform tasks before URLScan is called. The FrontPage Server Extensions (Fpexedll.dll) ISAPI filter is one such filter. Although the information in this section explains how to configure URLScan to load after the Fpexedll.dll ISAPI filter, you can easily adapt this procedure to configure URLScan with other ISAPI filters. For more information, see the documentation for the ISAPI filter that you are using.
Note Before you can complete the following steps, you must correctly set the "AllowLateScanning=1" setting in the Urlscan.ini file to load URLScan as a low priority filter. To do so, follow the steps in the "Modify the Default URLScan Configuration File" section of this article.
Start the Internet Services Manager. To do so, follow the steps that are appropriate to your version of IIS:
In IIS 4.0:
In Windows, click Start, point to Programs, and then click Windows NT 4.0 Option Pack.
Point to Microsoft Internet Information Server, and then click Internet Service Manager.
In IIS 5.0:
In Windows, click Start, point to Programs, and then click Administrative Tools.
Click Internet Services Manager.
In IIS 5.1:
In Windows, click Start, and then click Control Panel.
Double-click Administrative Tools.
Double-click Internet Information Services.
Right-click your server name, and then click Properties.
Select the WWW Service master properties option, and then click Edit.
Click the ISAPI Filters tab.
Click UrlScan, and then click Down to move UrlScan below Fpexedll.dll.
Click OK again.
Restart IIS to update URLScan
When IIS starts, URLScan is loaded in memory and reads the settings in the Urlscan.ini file. Therefore, you have to restart IIS so that the new configuration settings take effect. To do so, follow the steps that are appropriate to your version of IIS:
In IIS 4.0:
At a command prompt, type the following command:
NET STOP"IIS Admin Service" /Y
If you see several dependant services listed as they are stopped, write down the names so that you can restart these services later.
When you receive the following message:
The IIS Admin Service service was stopped successfully.
restart each IIS service by name. To do so, type the following commands at the command prompt, and press ENTER after each line:
NET START"World Wide Web Publishing Service" NET START"Simple Mail Transfer Protocol (SMTP)" NET START"FTP Publishing Service"
Quit the command prompt.
In IIS 5.0:
Right-click My Computer, and then click Restart IIS.
Click Restart Internet Services on Your Computer.
In IIS 5.1:
Right-click My Computer, point to All Tasks, and then click Restart IIS.
Click Restart Internet Services on Your Computer.
236166 Using NET STOP and NET START commands to force IIS services to re-read the registry
202013 Internet Information Services 5.0 command-line syntax for Iisreset.exe
The settings that are listed in the "Modify the Default URLScan Configuration" section of this article specify the "EnableLogging=1" setting in the [Options] section of the Urlscan.ini file. This setting allows URLScan to keep a running log of all URLScan activity. This log file is saved in the same folder as the Urlscan.dll file. If you experience any difficulties with FrontPage, with SharePoint Designer, or with other IIS functionality while URLScan is enabled, review the most recent entries in the log file for information about what requests are being rejected.
If you make additional changes to the Urlscan.ini file, create copies of the existing Urlscan.ini file and name the copied files Urlscan.001, Urlscan.002, and so on, so that you have a history of the changes that you have made. This practice can help prevent you from losing a good configuration when you try to implement a new security configuration.
If the changes you make to URLScan do not seem to take effect, repeat the procedure to restart the IIS services. If the changes still do not take effect, restart your Web server.
For more information about how to install and configure the URLScan tool, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Microsoft Office SharePoint Designer 2007, Microsoft Office FrontPage 2003, Microsoft FrontPage 2002 Server Extensions, Microsoft SharePoint Team Services, Microsoft Internet Information Server 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services version 5.1