WEB LISTING 1: Sample Urlscan.ini File [options] UseAllowVerbs =1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section UseAllowExtensions =0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section NormalizeUrlBeforeScan =1 ; if 1, canonicalize URL before processing VerifyNormalization =1 ; if 1, canonicalize URL twice and reject request if a change occurs AllowHighBitCharacters =0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL AllowDotInPath =0 ; if 1, allow dots that are not file extensions RemoveServerHeader=0 ; if 1, remove "Server" header from response EnableLogging=1 ; if 1, log UrlScan activity PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log) AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter. PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is / UseFastPathReject=0 ; If 1, then UrlScan won't use the RejectResponseUrl or allow IIS to log the request ; If RemoveServerHeader is 0, then AlternateServerName can be ; used to specify a replacement for IIS's built-in "Server" header AlternateServerName= LogLongUrls=0 ; If 1, then up to 128K per request can be logged. ; If 0, then only 1k is allowed. ; LoggingDirectory can be used to specify the directory where the ; log file will be created. This value should be the absolute path ; (i.e., C:\some\path). If not specified, then URLScan will create ; the log in the same directory in which the URLScan.dll file is located. LoggingDirectory= [AllowVerbs] ; ; The verbs (aka HTTP methods) listed here are those commonly ; processed by a typical IIS server. ; ; Note that these entries are effective if "UseAllowVerbs=1" ; is set in the [Options] section above. ;* GET HEAD POST [DenyVerbs] ; The verbs (aka HTTP methods) listed here are used for publishing ; content to an IIS server via WebDAV. ; ; Note that these entries are effective if "UseAllowVerbs=0" ; is set in the [Options] section above. PROPFIND PROPPATCH MKCOL DELETE PUT COPY MOVE LOCK UNLOCK OPTIONS SEARCH [DenyHeaders] ; The following request headers alter processing of a ; request by causing the server to process the request ; as if it were intended to be a WebDAV request, instead ; of a request to retrieve a resource. Translate: If: Lock-Token: Transfer-Encoding: [AllowExtensions] ; Extensions listed here are commonly used on a typical IIS server. ; Note that these entries are effective if "UseAllowExtensions=1" ; is set in the [Options] section above. .htm .html .txt .jpg .jpeg .gif [DenyExtensions] ; Extensions listed here either run code directly on the server, ; are processed as scripts, or are static files that are ; generally not intended to be served out. ; Note that these entries are effective if "UseAllowExtensions=0" ; is set in the [Options] section above. ; Also note that ASP scripts are denied with the below ; settings. If you want to enable ASP, remove the ; following extensions from this list: ; .asp ; .cer ; .cdx ; .asa ; Deny ASP requests. .asp .cer .cdx .asa ; Deny executables that could run on the server. .exe .bat .cmd .com ; Deny infrequently used scripts. .htw ; Maps to webhits.dll, part of Index Server .ida ; Maps to idq.dll, part of Index Server .idq ; Maps to idq.dll, part of Index Server .htr ; Maps to ism.dll, a legacy administrative tool .idc ; Maps to httpodbc.dll, a legacy database access tool .shtm ; Maps to ssinc.dll, for Server Side Includes .shtml ; Maps to ssinc.dll, for Server Side Includes .stm ; Maps to ssinc.dll, for Server Side Includes .printer ; Maps to msw3prt.dll, for Internet Printing Services ; Deny various static files. .ini ; Configuration files .log ; Log files .pol ; Policy files .dat ; Configuration files [DenyUrlSequences] .. ; Don't allow directory traversals ./ ; Don't allow trailing dot on a directory name \ ; Don't allow backslashes in URL : ; Don't allow alternate stream access % ; Don't allow escaping after normalization & ; Don't allow multiple CGI processes to run on a single request [RequestLimits] ; The entries in this section impose limits on the length ; of allowed parts of requests reaching the server. ; It's possible to impose a limit on the length of the ; value of a specific request header by prepending "Max-" to the ; name of the header. For example, the following entry would ; impose a limit of 100 bytes to the value of the ; 'Content-Type' header: ; Max-Content-Type=100 ; To list a header and not specify a maximum value, use 0 ; (ie. 'Max-User-Agent=0'). Also, any headers not listed ; in this section won't be checked for length limits. ; There are three special case limits: ; - MaxAllowedContentLength specifies the maximum allowed ; numeric value of the Content-Length request header. For ; example, setting this to 1000 would cause any request ; with a content length that exceeds 1000 to be rejected. ; The default is 3,000,000,000. ; - MaxUrl specifies the maximum length of the request URL, ; not including the query string. The default is 260 (which ; is equivalent to MAX_PATH). ; - MaxQueryString specifies the maximum length of the query ; string. The default is 4096. MaxAllowedContentLength=30000000 MaxUrl=16384 MaxQueryString=4096