yes, URLSCAN is configurable. And by allowing those patterns (and others) to get thru, you are weakening your security. And, unlike you, I cannot possibly attempt to force people sending us email to conform to not using "%", "&" in a subject line or a period at the end of a subject -- How do you do that, by the way?
This is, once again, the eternal battle between functionality and security. My point is this information wasn't that easy to find, why wasn't it in the release notes? Here is a much better reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/mailexch/opsguide/e2ksec03.asp Tom Gray, Network Engineer All Kinds of Minds & The Center for Development and Learning University of North Carolina at Chapel Hill Internet: [EMAIL PROTECTED] AT&T Net: (919)960-8888 -----Original Message----- From: Tom Meunier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 01, 2002 1:01 PM To: Exchange Discussions Subject: RE: Another reason to be careful with OWA and URLSCAN You know it's configurable, right? You know there's a q-article about that, right? URLScan is a great tool. It helps secure my web server. I don't use templates for squat, except as a starting point. They don't replace a well-qualified administrator. Also, I tell my users to quit using & and % in their email subjects and filenames that they want to access by OWA. There are other tools, yes, but they're not FREE. > -----Original Message----- > From: Tom.Gray [mailto:[EMAIL PROTECTED]] > Posted At: Tuesday, October 01, 2002 10:40 AM > Posted To: MSExchange Mailing List > Conversation: OT: have you ever heard about MiraPoint > Subject: Another reason to be careful with OWA and URLSCAN > > > > URLSCAN is a great tool. It helps secure your web server. > If you use the Outlook Web Access template when installing > URLSCAN you should be "good to go", right? > > WRONG! URLSCAN wreaks havoc with OWA. > > First, remember that with OWA the SUBJECT line of a mail > message is the FILE NAME. So if you are logged into OWA and > want to read a message with subject: > I want to hold your hand > Your browser sends a URL like the following > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand.eml > > URLSCAN examines that URL to make sure it isn't evil. Looks > good so far. > > If the subject is: > I want to hold your hand. > > The url would be > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand..eml > > Since there are two dots (..) URLSCAN Rejects it. > > And if the subject is: > I want to hold your hand & foot > The URL would be > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20ha > nd%20%26%20foot.eml > > Since there is an "&" (or hex 26) URLSCAN Rejects it. > > > Now how common is a period at the end of a subject in email? > How common is the perfectly RFC822 legal "&" in the subject > of a message? > > There are truly good reasons to reject those chars/patterns > as URL's, but they are allowed as file names. So do you a) > lower the security of your webserver by disabling those > features of URLSCAN? > b) convince everyone to not end their subjects with a period > or use the & symbol? > > hmmmmm, what were the OWA guys thinking (or smoking?) when > they set up the URL's to be based on subject lines??????? > > > > Tom Gray, Network Engineer > All Kinds of Minds & The Center for Development and Learning > University of North Carolina at Chapel Hill > Internet: [EMAIL PROTECTED] > AT&T Net: (919)960-8888 > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
