Deji, Many thanks, The reason for thinking the risk was minimal was that I could find no technical docs explaining the reasoning, behind the exclusions and now I have enough information to formulate a management response.
I was always taught.... If in doubt ask. Mark -----Original Message----- From: <[EMAIL PROTECTED]> Date: Thu, 17 Nov 2005 18:34:03 To:<[email protected]> Subject: RE: [ActiveDir] OT:[DenyUrlSequences] Outlook Web Access. The risk is NOT minimal. I don't know why you think it is, but I still go through my logs every now and then and see significant Nimda-like attack attempts. This specific feature (called Allowdotinpath in pre-IIS6 URL-speak) is now handled by http.sys itself, so the only way to defeat it is for you to hack http.sys. Good luck. In E2K era, I used to send email to the user letting them know about this behavior and telling them that only management can override. Then I show management that Code Red and Blue, Nimda and every imaginable disaster WILL happen to their entire infrastructure IF they listen to their users and override this. Then I show the tech people how to override it in case the management people don't know what I meant by "directory traversal". Since E2K3, I just tell everyone that it's a feature of Exchange (actually it's a feature of IIS, but let's not split hairs) and that evil things will happen IF they try to cripple it. Bad things will happen indeed. If you don't have a firewall that filters out those double-encoded garbage (like ISA does), then your Exchange server won't last. Just look at your urlscan log on a pre-IIS6 server or your firewall log and you will see what requests are hitting your server. If after doing that, you feel comfortable with what you see, then you can start hacking around http.sys IF your client installed URLScan on their E2K3 box, you can tell them to remove it. You don't really need it in IIS6 since, like I said, most of the features have been rolled into http.sys when MS re-wrote it. You will know if you need it. In the meantime, tell your client that blocking "... & %" and the likes is now a part of life and they should learn to love it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 11/17/2005 2:12 PM To: [email protected] Subject: [ActiveDir] OT:[DenyUrlSequences] Outlook Web Access. On a clients Exchange 2003 server, the Urlscan.ini has been configured to utilise the default DenyUrlSequences configuration which means that any mail with the following criteria in the subject line cannot be opened whilst using OWA. .. ./ \ : % & Has anyone configured their OWA to not utilise this feature and suffered any ill effects? I assume the risk is minimal but it must be there for a reason, but how real is the issue? "Microsoft KB 325965 The URLScan tool may cause problems in Outlook Web Access" Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
