For those of you who don’t know, Microsoft has a neat tool/utility out there called URLScan. It’s primary job is to block traffic on a server that you don’t want trafficing. We’ve recently released the 3.0 beta version, which adds some new features. Prior to my life at MS, a team I worked on used URLScan to block WebDAV traffic on our SPS2003 servers. I was talking to an old colleague yesterday and he expressed the need to block certain URLs on certain machines in his environment. The way they have things set up, they currently don’t have any devices that can do this for them. By chance, today I found the new version of URLScan and found it added a new feature to do this.
UrlScan v3.0 Beta Features
UrlScan v3.0 Beta maintains feature and functionality parity with its predecessor (UrlScan v2.5). The configuration format is the same, but includes a few additional sections that can be used for the new features. If you are currently using UrlScan v2.5, you can use the same urlscan.ini configuration file with UrlScan v3.0.
- Deny rules can now be independently applied to query string, all headers, a particular header, URL or a combination of these.
- A global DenyQueryString section in configuration lest you add deny rules for query strings with the option of checking the un-escaped version of the query string as well.
- Using escape sequences (like %0A%0D) can now be used in deny rules so it is possible to deny CRLF and other sequences involving non-printable characters.
- Multiple UrlScan instances can now be installed as site filters, each with its own configuration and rules (urlscan.ini).
- Configuration (urlscan.ini) change notifications will be propagated to IIS worker processes so you won’t have to recycle your worker processes after making a configuration change. Logging settings are the only exception to this.
- Enhanced logging to give descriptive configuration errors.
Features Ported from UrlScan v2.5
Please check the Microsoft TechNet article here to get details about features for UrlScan v2.5. Here is a quick summary of the features in UrlScan v2.5.
- Block requests from being executed by IIS based on HTTP Verbs, HTML Encoding, URI Extension, URL sequences and size of request.
- Ability to change log file directory.
- Ability to log long URLs (>1024 bytes) up to 128 Kb.