Solved

IISLockdown

Posted on 2004-09-14
9
165 Views
Last Modified: 2010-04-14
Once you've run IISLockdown, how do you run it again, without loosing any of the previous settings. My current configuration is denying use of Outlook Web Access from the Internet where the subject line has punctuation in it, i.e. ',' '.' etc.

I want to be able to allow these without affecting any other settings. I've had a look at the C:\WINDOWS\system32\inetsrv\oblt-log.log IISLockdown configuration file, but not sure 1) what do add / remove 2) whether I should be modifying the log file itself in this manner.
0
Comment
Question by:M_Andrews
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054840
Don't you do this via the URLScan utility that comes with the lockdown wizard?.. When I wanted to change something like this, I only changed the INI file and reapply the urlscan filter...
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054844
the file is urlscan.ini
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12054850
0
 

Author Comment

by:M_Andrews
ID: 12062184
OK, thanks for that info.

I've had a look at the urlscan.ini file and the only bit that I can see that's relevant is this section:


[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request


Would I be right in thinking that it's these (particularly use of . and .. as people definitely use this in the subject lines frequently). If so, can I just remove them? Do I then have to do a restart on the webserver?

Thanks
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:M_Andrews
ID: 12062253
Actually, it looks like one of the main options might do it:

AllowDotInPath=0               ; if 1, allow dots that are not file extensions

I'll have to check and see. I found this ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod114.asp ) article more relevant for it's general use and one of the pitfalls it mentions is the use of '.' etc.
0
 

Author Comment

by:M_Andrews
ID: 12062438
OK, I changed the AllowDotInPath to 1 and also commented out the other two likely culprits:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

I then stopped and restarted IIS, but it still fails. If you take a look at the two test emails I sent myself. The first test was just with the subject named 'Test':

https://removed-domain.com/exchange/ssladmin/Inbox/Test.EML?Cmd=open

This worked fine. I then sent another email with a dot appended to the end, i.e. a subject line of 'Test.', this produced this URL, which didn't work:

https://removed-domain.com/exchange/ssladmin/Inbox/Test%202..EML?Cmd=open

Should I have done something other than just stop / start the IIS to get the new settings in urlscan.ini to apply or am I totally shooting in the dark with these settings?




0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12064341
I think you have to rerun urlscan setup after having changed the ini, i'll get back to you in a few min..
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 250 total points
ID: 12064480
Ok..  also, go to \winnt\system32\inetsrv\urlscan\ and run urlscan.exe, it will update the rule.. also, in this folder, check the LOGS folder, and have a look at the log. It will tell you what is wrong... (what is getting blocked when you try an access)
0
 

Author Comment

by:M_Andrews
ID: 12177781
Re-running URL scan just overwrites the setitngs that I'd already modified. I ended up removing the lines below from the urlscan.ini file:

..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name

and then restarted the server and this works fine now.

Thanks for your help Yan_west, your input certainly put me on the right path.
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot access port 443 4 575
win2k service packs 5 644
windows 2000 image 3 124
Windows  Active Directory  Quesiton 8 118
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now