IIS Informant: Enabling ASP After IIS Lockdown

From the July 2002 Edition
of Windows Web Solutions
Brett Hill
IIS Informant
InstantDoc #25225
Windows Web Solutions

I recently applied the URLScan filter. Now my Active Server Pages (ASP) scripts no longer function, even though I allowed the .asp extension in the urlscan.ini file. What else do I need to do to make ASP work?

The IIS Lockdown tool includes two programs: the IIS Lockdown program and the URLScan Internet Server API (ISAPI) filter, both of which can restrict the use of ASP scripts. As an ISAPI filter, URLScan can intercept requests from clients that want to run an ASP script and stop the requests from reaching the server. URLScan filters out requests for ASP scripts if you select the Static Web server template when you run the IIS Lockdown tool, as Figure 1 shows, or if you disable ASP when viewing the template settings.

As you mentioned, you can configure the urlscan.ini file in systemdrive:\winnt\system32\inetsrv\ulrscan to correct the URLScan portion of the problem. In the [DenyExtensions] section of the file (which will look like the code that Listing 1, page 6, shows if you chose the Static Web server template), remove the .asp, .cer, .cdx, and .asa extensions. Then, save the modified file and restart IIS. URLScan will no longer intercept requests for ASP scripts.

When you choose the Static Web server template, the IIS Lockdown tool maps the .asp extension to 404.dll, which returns a File not found error. To correct the IIS Lockdown portion of the problem and reenable ASP functionality, you must remove the mapping to 404.dll and replace it with a map to systemdrive:\winnt\system32\inetsrv\asp.dll.

As an alternative to editing urlscan.ini and application mapping, you can rerun the IIS Lockdown tool to return your IIS configuration to its prelockdown state. Then, you can run the Lockdown tool again and select the Dynamic Web server (ASP enabled) template to properly enable ASP. However, you'll lose any changes you've made to the IIS configuration in Internet Services Manager (ISM) 5.0 or Internet Service Manager (ISM) 4.0 since you ran the Lockdown tool the first time. For more information about URLScan, see Randy Franklin Smith, "Protect Your IIS Server with URLScan," page 6.

End of Article

Thanks! Your answer to this question was very helpful and helped me get past the same problem.

Ken April 10, 2003

The article was helpful much. By the way, in case of .NET, i cannot debug .NET after applying IIS Lockdown. Could you help me? Thank you.

Truong, Loc May 09, 2003

Hooray! This helpfull bit of information saved my butt!

Skafian June 10, 2003

THANK YOU

ultrasonix March 28, 2004

It's taken me two days of searching for the answer to this while the web server was down, what a relief, Thanks so much.

Tracy Alley April 26, 2004

This was a very useful bit of information, cheers Brett!

Mark May 28, 2004

How do you remove the mapping to 404.dll and replace it with a map to systemdrive:\winnt\system32\inetsrv\asp.dll.

mayhuer July 28, 2004 (Article Rating:

)

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now