>> IIRC the combination of IISLockDown and execute permissions
>> causes such problems. That's why I lock down IIS with my own
>> scripts and don't use IISLockDown or URLScan.
>
> I like URLScan, myself. Out of curiosity, do you use another ISAPI input
> filter instead?
No. I remove all the scripting languages except ASP and CF,
restrict a lot of verbs for the scripting languages and I make a
mapping from .log to 404.dll (because of FTP log files that many
people leave on the server), but I don't filter URLs.
Yes, such a setup makes a server a vector in TRACE based cross
domain exploits of certain browsers. Too bad for those that
choose to use such browsers.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
