Web Listing 4 contains some sample .asp code, badurl.asp, that shows the server variables in action. The output in Figure 1 shows the text that users would see when they request a URL that includes a period.
In general, be careful how much information you reveal in error messages: You don't want to make life any easier for attackers. I recommend that you avoid showing the client HTTP_URLSCAN_STATUS_HEADER or HTTP_URLSCAN_ORIGINAL_VERB for security reasons, but you might want to return a generic error message such as Your request failed and supply a copy of HTTP_URLSCAN_ORIGINAL_URL along with support contact information. That way, legitimate users can give you enough information to find the rejected URL in URLScan's logs and analyze the problem. (Remember that URLScan reports the same information that it shows to users when you specify HTTP_URLSCAN_ORIGINAL_URL to the URLScan log.) Also, if you've configured IIS to log cs-uri-query (one of several fields you can direct IIS to include in its log), rejected URLs will show up in the IIS log as well.
RejectResponseUrl also provides a useful logging-only mode. When you set RejectResponseUrl to /~*, URLScan logs the requests you set it to reject but services them as if you hadn't installed the tool. (As Web Figure 2 shows, the URLScan log reminds you that it's running in logging-only mode.)
UseFastPathReject. You might want to report rejected URLs as quickly as possible with the least resource use. If you set UseFastPathReject to 1, URLScan ignores RejectResponseUrl and instead returns a standard 404 error message to the client. When you use UseFastPathReject, the IIS log doesn't log the original URL and other related information, but the URLScan log does.
Adjusting URLScan
You need to configure URLScan as strictly as possible but still make sure the tool accepts the verbs, headers, and file extensions that your Web site requires. To get maximum protection from URLScan, you might need to modify certain areas of your Web site. For example, you might need to change the paths in your Web site or the format of your URLs so that URLScan won't reject legitimate requests. Avoid using periods in folder names or filenames. Also avoid using colons (:), ampersands, percent signs (%), or backslashes (\) in URLs.
In addition, several Microsoft and non-Microsoft add-ons require specific URLScan configurations. To learn about those required configurations, see the Web-exclusive sidebar "Configuring URLScan to Support Specific Products," InstantDoc ID 25614.
URLScan offers defense in depth because it examines any packet bound for IIS against a set of rules that you can define in urlscan.ini. URLScan's approach of preventing unusual requests from being processed offers protection against future exploits.
Tom November 17, 2003