Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 184
  • Last Modified:

IISLockdown

Once you've run IISLockdown, how do you run it again, without loosing any of the previous settings. My current configuration is denying use of Outlook Web Access from the Internet where the subject line has punctuation in it, i.e. ',' '.' etc.

I want to be able to allow these without affecting any other settings. I've had a look at the C:\WINDOWS\system32\inetsrv\oblt-log.log IISLockdown configuration file, but not sure 1) what do add / remove 2) whether I should be modifying the log file itself in this manner.
0
M_Andrews
Asked:
M_Andrews
  • 5
  • 4
1 Solution
 
Yan_westCommented:
Don't you do this via the URLScan utility that comes with the lockdown wizard?.. When I wanted to change something like this, I only changed the INI file and reapply the urlscan filter...
0
 
Yan_westCommented:
the file is urlscan.ini
0
 
Yan_westCommented:
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
M_AndrewsAuthor Commented:
OK, thanks for that info.

I've had a look at the urlscan.ini file and the only bit that I can see that's relevant is this section:


[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request


Would I be right in thinking that it's these (particularly use of . and .. as people definitely use this in the subject lines frequently). If so, can I just remove them? Do I then have to do a restart on the webserver?

Thanks
0
 
M_AndrewsAuthor Commented:
Actually, it looks like one of the main options might do it:

AllowDotInPath=0               ; if 1, allow dots that are not file extensions

I'll have to check and see. I found this ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod114.asp ) article more relevant for it's general use and one of the pitfalls it mentions is the use of '.' etc.
0
 
M_AndrewsAuthor Commented:
OK, I changed the AllowDotInPath to 1 and also commented out the other two likely culprits:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

I then stopped and restarted IIS, but it still fails. If you take a look at the two test emails I sent myself. The first test was just with the subject named 'Test':

https://removed-domain.com/exchange/ssladmin/Inbox/Test.EML?Cmd=open

This worked fine. I then sent another email with a dot appended to the end, i.e. a subject line of 'Test.', this produced this URL, which didn't work:

https://removed-domain.com/exchange/ssladmin/Inbox/Test%202..EML?Cmd=open

Should I have done something other than just stop / start the IIS to get the new settings in urlscan.ini to apply or am I totally shooting in the dark with these settings?




0
 
Yan_westCommented:
I think you have to rerun urlscan setup after having changed the ini, i'll get back to you in a few min..
0
 
Yan_westCommented:
Ok..  also, go to \winnt\system32\inetsrv\urlscan\ and run urlscan.exe, it will update the rule.. also, in this folder, check the LOGS folder, and have a look at the log. It will tell you what is wrong... (what is getting blocked when you try an access)
0
 
M_AndrewsAuthor Commented:
Re-running URL scan just overwrites the setitngs that I'd already modified. I ended up removing the lines below from the urlscan.ini file:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

and then restarted the server and this works fine now.

Thanks for your help Yan_west, your input certainly put me on the right path.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now