Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

IISLockdown

Once you've run IISLockdown, how do you run it again, without loosing any of the previous settings. My current configuration is denying use of Outlook Web Access from the Internet where the subject line has punctuation in it, i.e. ',' '.' etc.

I want to be able to allow these without affecting any other settings. I've had a look at the C:\WINDOWS\system32\inetsrv\oblt-log.log IISLockdown configuration file, but not sure 1) what do add / remove 2) whether I should be modifying the log file itself in this manner.
0
M_Andrews
Asked:
M_Andrews
  • 5
  • 4
1 Solution
 
Yan_westCommented:
Don't you do this via the URLScan utility that comes with the lockdown wizard?.. When I wanted to change something like this, I only changed the INI file and reapply the urlscan filter...
0
 
Yan_westCommented:
the file is urlscan.ini
0
 
Yan_westCommented:
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
M_AndrewsAuthor Commented:
OK, thanks for that info.

I've had a look at the urlscan.ini file and the only bit that I can see that's relevant is this section:


[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request


Would I be right in thinking that it's these (particularly use of . and .. as people definitely use this in the subject lines frequently). If so, can I just remove them? Do I then have to do a restart on the webserver?

Thanks
0
 
M_AndrewsAuthor Commented:
Actually, it looks like one of the main options might do it:

AllowDotInPath=0               ; if 1, allow dots that are not file extensions

I'll have to check and see. I found this ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod114.asp ) article more relevant for it's general use and one of the pitfalls it mentions is the use of '.' etc.
0
 
M_AndrewsAuthor Commented:
OK, I changed the AllowDotInPath to 1 and also commented out the other two likely culprits:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

I then stopped and restarted IIS, but it still fails. If you take a look at the two test emails I sent myself. The first test was just with the subject named 'Test':

https://removed-domain.com/exchange/ssladmin/Inbox/Test.EML?Cmd=open

This worked fine. I then sent another email with a dot appended to the end, i.e. a subject line of 'Test.', this produced this URL, which didn't work:

https://removed-domain.com/exchange/ssladmin/Inbox/Test%202..EML?Cmd=open

Should I have done something other than just stop / start the IIS to get the new settings in urlscan.ini to apply or am I totally shooting in the dark with these settings?




0
 
Yan_westCommented:
I think you have to rerun urlscan setup after having changed the ini, i'll get back to you in a few min..
0
 
Yan_westCommented:
Ok..  also, go to \winnt\system32\inetsrv\urlscan\ and run urlscan.exe, it will update the rule.. also, in this folder, check the LOGS folder, and have a look at the log. It will tell you what is wrong... (what is getting blocked when you try an access)
0
 
M_AndrewsAuthor Commented:
Re-running URL scan just overwrites the setitngs that I'd already modified. I ended up removing the lines below from the urlscan.ini file:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

and then restarted the server and this works fine now.

Thanks for your help Yan_west, your input certainly put me on the right path.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now