TFS 2010 and Url Scan
In case you are or planning to use URL Scan on top of IIS server which is part of your TFS deployment. Here is a sample UrlScanConfig file that I have used (things in yellow deserve a look):
[options]
UseAllowVerbs=0 ; If 1, use [AllowVerbs] section, else use the
; [DenyVerbs] section. The default is 1.
UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else
; use the [DenyExtensions] section. The
; default is 0.
NormalizeUrlBeforeScan=1 ; If 1, canonicalize URL before processing.
; The default is 1. Note that setting this
; to 0 will make checks based on extensions,
; and the URL unreliable and is therefore not
; recommend other than for testing.
VerifyNormalization=1 ; If 1, canonicalize URL twice and reject
; request if a change occurs. The default
; is 1.
AllowHighBitCharacters=0 ; If 1, allow high bit (ie. UTF8 or MBCS)
; characters in URL. The default is 0.
AllowDotInPath=1 ; If 1, allow dots that are not file
; extensions. The default is 0. Note that
; setting this property to 1 will make checks
; based on extensions unreliable and is
; therefore not recommended other than for
; testing.
RemoveServerHeader=0 ; If 1, remove the 'Server' header from
; response. The default is 0.
;**Note setting RemoveServerHeader to 1 will cause the Team Project Creation fail with 400 bad request error while uploading files to WSS document list libraries
EnableLogging=1 ; If 1, log UrlScan activity. The
; default is 1. Changes to this property
; will not take effect until UrlScan is
; restarted.
PerProcessLogging=0 ; This property is deprecated for UrlScan
; 3.0 and later. UrlScan 3.0 and later can
; safely log output from multiple processes
; to the same log file. Changes to this
; property will not take effect until
; UrlScan is restarted.
AllowLateScanning=0 ; If 1, then UrlScan will load as a low
; priority filter. The default is 0. Note
; that this setting should only be used in
; the case where there another installed
; filter is modifying the URL and you wish
; to have UrlScan apply its rules to the
; rewritten URL. Changes to this property
; will not take effect until UrlScan is
; restarted.
PerDayLogging=1 ; If 1, UrlScan will produce a new log each
; day with activity in the form
; 'UrlScan.010101.log'. If 0, UrlScan will
; log activity to urlscan.log. The default
; is 1. Changes to this setting will not
; take effect until UrlScan is restarted.
UseFastPathReject=0 ; If 1, then UrlScan will not use the
; RejectResponseUrl. On IIS versions less
; than 6.0, this will also prevent IIS
; from writing rejected requests to the
; W3SVC log. UrlScan will log rejected
; requests regardless of this setting. The
; default is 0.
LogLongUrls=0 ; This property is deprecated for UrlScan 3.0
; and later. UrlScan 3.0 and later will
; always include the complete URL in its log
; file.
UnescapeQueryString=1 ; If 1, UrlScan will perform two passes on
; each query string scan, once with the raw
; query string and once after unescaping it.
; If 0, UrlScan will only look at the raw
; query string as sent by the client. The
; default is 1. Note that if this property is
; set to 0, then checks based on the query
; string will be unreliable.
;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/Rejected-by-UrlScan' will be used.
; Changes to this setting will not take effect until UrlScan
; is restarted.
;
; Note that setting "RejectResponseUrl=/~*" will put UrlScan into Logging
; Only Mode. In this mode, UrlScan will process all requests per the
; config settings, but it will only log the results and not actually
; reject the requests. This mode is useful for testing UrlScan settings
; on a production server without actually interrupting requests.
;
RejectResponseUrl=
;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
; Changes to this setting will not take effect until UrlScan is
; restarted.
;
LoggingDirectory=Logs
;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;
AlternateServerName=
;
; UrlScan supports custom rules that can be applied in addition to the other
; checks and options specified in this configuration file. Rules should be
; listed in a comma separated string in the RuleList property. Each rule in
; the list corresponds to two sections in this configuration file, one
; containing the options for the rule, and one containing deny strings for
; the rule.
;
; Here is an example:
;
; [Options]
; RuleList=Rule1
;
; [Rule1]
; AppliesTo=.exe,.dll ; A comma separated list of file extensions to
; ; which the rule applies. If not specified,
; ; the rule will be applied to all requests.
;
; DenyDataSection=Rule1 Data ; The name of the section containing the
; ; rule's deny strings
;
; ScanURL=0 ; If 1, the URL will be scanned for deny
; ; strings. The default is 0.
;
; ScanAllRaw=0 ; If 1, then the raw request header data will
; ; be scanned for deny strings. The default
; ; is 0.
;
; ScanQueryString=0 ; If 1, the the query string will be scanned
; ; for deny strings. The default is 0. Note
; ; that if UnescapeQueryString=1 is set in the
; ; [Options] section, then two scans will be
; ; made of the query string, one with the raw
; ; query string and one with the query string
; ; unescaped.
;
; ScanHeaders= ; A comma separated list of request headers to
; ; be scanned for deny strings. The default is
; ; no headers.
;
; DenyUnescapedPercent=0 ; If 1, UrlScan will scan the specified part
; ; of the raw request for a % character that is
; ; not used as an escape sequence. If found,
; ; the request will be rejected. This check
; ; can be used with ScanQueryString=1,
; ; ScanAllRaw=1, or the list of ScanHeaders.
; ; The default is 0. Note that if you want to
; ; deny non-escaped % characters in the URL,
; ; you can set VerifyNormalization=0 in the
; ; [Options] section and then add % as a
; ; [DenyUrlSequences] entry.
;
; [Rule1 data]
; string1
; string2
;
RuleList=
[RequestLimits]
;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
; Max-Content-Type=100
;
; Any headers not listed in this section will not be checked for
; length limits.
;
; There are 3 special case limits:
;
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
;
; - MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;
; - MaxQueryString specifies the maximum length of the query
; string. The default is 2048.
;
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048
[AllowVerbs]
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
OPTIONS
SEARCH
PUT
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
COPY
MOVE
LOCK
UNLOCK
[DenyHeaders]
;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Lock-Token:
Transfer-Encoding:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.htm
.html
.txt
.jpg
.jpeg
.gif
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings. If you wish to enable ASP, remove the
; following extensions from this list:
; .asp
; .cer
; .cdx
; .asa
;
; Deny executables that could run on the server
.exe
.bat
.cmd
.com
; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
.config ; Configuration files
[AlwaysAllowedUrls]
;
; URLs listed here will always be explicitly allowed by UrlScan
; and will bypass all UrlScan checks. URLs must be listed
; with a leading '/' character. For example:
;
; /SampleURL.htm
;
[DenyUrlSequences]
;
; If any character sequences listed here appear in the URL for
; any request, that request will be rejected.
;
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
[AlwaysAllowedQueryStrings]
;
; Query strings listed here will always be explicitly allowed by
; UrlScan and will bypass all query string based checks.
;
[DenyQueryStringSequences]
;
; If any character sequences listed here appear in the query
; string for any request, that request will be rejected.
;
< ; Commonly used by script injection attacks
> ; Commonly used by script injection attacks