What does it do? - It filters requests sent to an IIS server so that
potential exploits never make it to the server. For example, the code red
"virus" worked by requesting a file with a .ida extension from your IIS
server that had a very long string of characters (and then some virus code)
that would overrun a buffer and run the virus instead of processing the
request for the .IDA file. This filter will block many of the known
exploits (that there are already patches for) as well as many new yet-to-be
discovered exploits.
What does this have to do with exchange? -- If you are using the Outlook
Web Access feature of Exchange, then you are running IIS server and you
would need to ensure that this server was not vulnerable to exploits. This
filter is a very good way to help protect an IIS server.
Here is an example of the code red attempts it has blocked since I installed
it yesterday:
Thu, Sep 13 2001 - 17:30:42] Client at 208.178.142.153: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Thu, Sep 13 2001 - 20:10:20] Client at 208.37.54.86: URL contains extension
'.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 01:35:37] Client at 64.171.170.85: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 03:24:54] Client at 66.44.41.4: URL contains extension
'.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 04:47:50] Client at 208.252.69.163: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 08:38:38] Client at 208.141.179.18: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 12:26:49] Client at 208.10.231.25: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 12:46:12] Client at 208.36.17.16: URL contains extension
'.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 14:15:43] Client at 208.61.120.182: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
[Fri, Sep 14 2001 - 14:36:59] Client at 208.212.78.224: URL contains
extension '.ida', which is disallowed. Request will be rejected. Raw
URL='/default.ida'
-----Original Message-----
From: Bare, Ronald A. [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 14, 2001 11:43 AM
To: Exchange Discussions
Subject: RE: New MS tool "URLSCAN" filters bad URL requests from your IIS
(OWA ) server
I don't understand? What exactly is this utility suppose to do and how does
it relate to Exchange? Thanks.
-----Original Message-----
From: Alverson, Thomas M. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 13, 2001 12:42 PM
To: Exchange Discussions
Subject: New MS tool "URLSCAN" filters bad URL requests from your IIS (OWA )
server
Importance: High
Microsoft just released a new IIS utility called URLSCAN which can block
suspicious URL's from your IIS server. You can get it from:
http://www.microsoft.com/downloads/release.asp?ReleaseID=32571
I just installed it on my OWA server (NT4 sp6a, EX5.5 sp4) and it seems to
work fine. It is configured by an INI file which tells it what types of URL
requests to block. Here is the log of it starting up and blocking one
request:
[Thu, Sep 13 2001 - 13:15:10] ---------- UrlScan.dll Initializing ----------
[Thu, Sep 13 2001 - 13:15:10] URLs will be normalized before analysis. [Thu,
Sep 13 2001 - 13:15:10] URL normalization will be verified. [Thu, Sep 13
2001 - 13:15:10] URLs may contain OEM, international and UTF-8 characters.
[Thu, Sep 13 2001 - 13:15:10] URLs must not contain any dot except for the
file extension. [Thu, Sep 13 2001 - 13:15:10] Only the following verbs will
be allowed (case
sensitive):
[Thu, Sep 13 2001 - 13:15:10] 'GET'
[Thu, Sep 13 2001 - 13:15:10] 'HEAD'
[Thu, Sep 13 2001 - 13:15:10] 'POST'
[Thu, Sep 13 2001 - 13:15:10] Requests for following extensions will be
rejected:
[Thu, Sep 13 2001 - 13:15:10] '.exe'
[Thu, Sep 13 2001 - 13:15:10] '.bat'
[Thu, Sep 13 2001 - 13:15:10] '.cmd'
[Thu, Sep 13 2001 - 13:15:10] '.com'
[Thu, Sep 13 2001 - 13:15:10] '.htw'
[Thu, Sep 13 2001 - 13:15:10] '.ida'
[Thu, Sep 13 2001 - 13:15:10] '.idq'
[Thu, Sep 13 2001 - 13:15:10] '.htr'
[Thu, Sep 13 2001 - 13:15:10] '.idc'
[Thu, Sep 13 2001 - 13:15:10] '.shtm'
[Thu, Sep 13 2001 - 13:15:10] '.shtml'
[Thu, Sep 13 2001 - 13:15:10] '.stm'
[Thu, Sep 13 2001 - 13:15:10] '.printer'
[Thu, Sep 13 2001 - 13:15:10] '.ini'
[Thu, Sep 13 2001 - 13:15:10] '.log'
[Thu, Sep 13 2001 - 13:15:10] '.pol'
[Thu, Sep 13 2001 - 13:15:10] '.dat'
[Thu, Sep 13 2001 - 13:15:10] Requests containing the following headers will
be rejected:
[Thu, Sep 13 2001 - 13:15:10] 'translate:'
[Thu, Sep 13 2001 - 13:15:10] 'if:'
[Thu, Sep 13 2001 - 13:15:10] 'lock-token:'
[Thu, Sep 13 2001 - 13:15:10] Requests containing the following character
sequences will be rejected:
[Thu, Sep 13 2001 - 13:15:10] '..'
[Thu, Sep 13 2001 - 13:15:10] './'
[Thu, Sep 13 2001 - 13:15:10] '\'
[Thu, Sep 13 2001 - 13:15:10] ':'
[Thu, Sep 13 2001 - 13:15:10] '%'
[Thu, Sep 13 2001 - 13:15:10] '&'
[Thu, Sep 13 2001 - 13:37:00] Client at 192.168.1.1: Sent verb 'OPTIONS',
which is not specifically allowed. Request will be rejected.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
