One of the best ways to keep potentially malicious Internet traffic from attacking your Internet Information Services (IIS) Web server is to keep it from getting to the Web server at all. That appears to be the approach Microsoft is taking with the release of its latest free tool aimed at helping beleaguered IIS administrators secure their servers.
The URLScan Security Tool allows administrators to screen and filter all incoming requests to an IIS 4.0, 5.0, or 5.1 Web server. The filters are based upon rules that the administrator configures. Using this tool allows much greater control over what requests an IIS Web server responds to, so the hope is that it will reduce vulnerability to certain types of known attacks and methods used by viruses, worms, and hackers. Let’s take a look.
Installing and using URLScan
To install URLScan, download the tool and run the executable. You will be prompted to stop and restart the IIS services prior to the completion of the installation. The program is automatically installed to \winnt\system32\inetsrv\urlscan directory (Figure A).
After installation, the URLScan tool runs automatically in the background as long as IIS is running. To confirm that you have installed it properly, locate the Urlscan.log file, located in \winnt\system32\inetsrv\urlscan, as shown in Figure B. The tool automatically creates this log file, which contains a report of the options that are configured each time you start the server.
The brain of this tool is the Urlscan.ini file (Figure C), also located in the \winnt\system32\inetsrv\urlscan directory.
Any changes you make to the Urlscan.ini file will require you to stop and start the IIS Services.
This file contains all of the options for filtering IIS traffic. The Urlscan.ini file is broken into the following seven sections:
The Options section of this file essentially allows you to turn on or off the other sections and set some of the basic functionality of the tool. For example, in the Options section, if you set UseAllowVerbs to 1, URLScan will read the settings in the AllowVerbs section. If you set it to null or 0, it will read the DenyVerbs section. To access a detailed description of each option, browse to the urlscan directory and read the Urlscan.txt file.
Consider the following scenario. We are configuring an IIS Server that uses the Internet Printing Protocol (IPP). Currently, it could allow outside users to access shared printers from the Internet, since this server has a public IP address. Instead, we want to force this functionality to be blocked to Internet users using the URLScan tool. To accomplish this, we would:
- Open the Urlscan.ini file.
- Browse to the section in the .ini file that says “.printer; Maps to Msw3prt.dll, for Internet Printing Services” and remove the line.
- Restart IIS Web Services.
The above line will then no longer appear in the urlscan log.
This is just one example of how URLScan will allow you to block potentially dangerous Internet traffic before it can damage your IIS server.
Based on the needs of your company, each Web server could have a completely different configuration. It is impossible to go over every scenario based upon individual needs. However, this tool, in addition to the other Microsoft IIS tools, allows you to take even more control of your Microsoft Web servers to enhance and tighten your security.
Keep in mind that you need to have a solid understanding of Web server administration and the HTTP protocol before configuring URLScan. Otherwise, you could easily impede the normal functioning of IIS and block out users who legitimately need to access various IIS features.
You can find out more information about the URLScan tool by reading Microsoft’s Knowledge Base Article Q307608.
How will URLScan help you in securing your IIS servers?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.