Solved

IISLockdown

Posted on 2004-09-14
9
164 Views
Last Modified: 2010-04-14
Once you've run IISLockdown, how do you run it again, without loosing any of the previous settings. My current configuration is denying use of Outlook Web Access from the Internet where the subject line has punctuation in it, i.e. ',' '.' etc.

I want to be able to allow these without affecting any other settings. I've had a look at the C:\WINDOWS\system32\inetsrv\oblt-log.log IISLockdown configuration file, but not sure 1) what do add / remove 2) whether I should be modifying the log file itself in this manner.
0
Comment
Question by:M_Andrews
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054840
Don't you do this via the URLScan utility that comes with the lockdown wizard?.. When I wanted to change something like this, I only changed the INI file and reapply the urlscan filter...
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054844
the file is urlscan.ini
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054850
0
 

Author Comment

by:M_Andrews
ID: 12062184
OK, thanks for that info.

I've had a look at the urlscan.ini file and the only bit that I can see that's relevant is this section:


[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request


Would I be right in thinking that it's these (particularly use of . and .. as people definitely use this in the subject lines frequently). If so, can I just remove them? Do I then have to do a restart on the webserver?

Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:M_Andrews
ID: 12062253
Actually, it looks like one of the main options might do it:

AllowDotInPath=0               ; if 1, allow dots that are not file extensions

I'll have to check and see. I found this ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod114.asp ) article more relevant for it's general use and one of the pitfalls it mentions is the use of '.' etc.
0
 

Author Comment

by:M_Andrews
ID: 12062438
OK, I changed the AllowDotInPath to 1 and also commented out the other two likely culprits:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

I then stopped and restarted IIS, but it still fails. If you take a look at the two test emails I sent myself. The first test was just with the subject named 'Test':

https://removed-domain.com/exchange/ssladmin/Inbox/Test.EML?Cmd=open

This worked fine. I then sent another email with a dot appended to the end, i.e. a subject line of 'Test.', this produced this URL, which didn't work:

https://removed-domain.com/exchange/ssladmin/Inbox/Test%202..EML?Cmd=open

Should I have done something other than just stop / start the IIS to get the new settings in urlscan.ini to apply or am I totally shooting in the dark with these settings?




0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12064341
I think you have to rerun urlscan setup after having changed the ini, i'll get back to you in a few min..
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 250 total points
ID: 12064480
Ok..  also, go to \winnt\system32\inetsrv\urlscan\ and run urlscan.exe, it will update the rule.. also, in this folder, check the LOGS folder, and have a look at the log. It will tell you what is wrong... (what is getting blocked when you try an access)
0
 

Author Comment

by:M_Andrews
ID: 12177781
Re-running URL scan just overwrites the setitngs that I'd already modified. I ended up removing the lines below from the urlscan.ini file:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

and then restarted the server and this works fine now.

Thanks for your help Yan_west, your input certainly put me on the right path.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now