|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Urlscan 2.5 questionWill installing Urlscan on IIS 4 & IIS 5 servers protect them from
Trace/Track vulnerabilities by default or do I need to configure Urlscan to do this? Thanks! Depends on the configuration specified in URLScan.ini.
I suggest you read it and determine for yourself. You will have to do this because you must know: 1. Exact resource that you are trying to secure 2. What vectors are able to attack that resource 3. What knobs can be tweaked in what way to address the vector You have to take responsibility to know and configure all of them. Security is a journey, not destination. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "winsysadmin" <winsysad***@discussions.microsoft.com> wrote in message news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com... > Will installing Urlscan on IIS 4 & IIS 5 servers protect them from > Trace/Track vulnerabilities by default or do I need to configure Urlscan > to > do this? > > Thanks! What kind of Trace/Track vulnerabilities ?
-- Show quoteHide quoteRegards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ "winsysadmin" <winsysad***@discussions.microsoft.com> wrote in message news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com... > Will installing Urlscan on IIS 4 & IIS 5 servers protect them from > Trace/Track vulnerabilities by default or do I need to configure Urlscan > to > do this? > > Thanks! "winsysadmin" <winsysad***@discussions.microsoft.com> wrote in message I don't think there is one single default. I believe there are several, news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com... > Will installing Urlscan on IIS 4 & IIS 5 servers protect them from > Trace/Track vulnerabilities by default or do I need to configure Urlscan > to > do this? ones for OWA on Exchange server, etc., so that you could get different default settings depending on how you install URLScan. After installing urlscan, edit the urlscan.ini and read the sections on [blockverbs] and [allowverbs]. Only one of those two sections is active at a time, depending on the UseAllowVerbs setting in that file. http://support.microsoft.com/Default.aspx?kbid=326444 http://securityadmin.info/faq.asp?urlscan According to the first article above, it appears that AllowVerbs is the default. So if Trace and Track are not in the AllowVerbs section, and I expect that they would probably not be, Trace and Track are largely theoretical vulnerabilities. Unless there is a known unpatched exploit against them, and I'm not sure there are any at the moment, they usually only give a small amount of information, not remote compromise of the server. -- kind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] -------------------------------- Microsoft Security FAQ: http://securityadmin.info Hello,
UrlScan does have a single default that is built into the dll. The built-in defaults are the same values that exist in the UrlScan.ini file that installs with the UrlScan installer at the following location: http://www.microsoft.com/technet/security/tools/urlscan.mspx To answer the original question, by default, UseAllowVerbs is 1, and the [AllowVerbs] section contains GET, HEAD, and POST. Based on these settings, UrlScan will reject any TRACE or TRACK requests, as well as any other HTTP verbs other than GET, HEAD, or POST. The other flavors of UrlScan configuration (such as OWA) that you refer to below are part of the Lockdown tool installer. They apply non-default configuration settings that are appropriate to the template chosen. The Lockdown tool is only related to UrlScan as an installer. UrlScan was developed before and completely independent of the Lockdown tool. I hope this helps to clarify. Thank you, -Wade A. Hilmo, -Microsoft Show quoteHide quote "karl levinson, mvp" <levinso***@securityadmin.info> wrote in message news:OGFQObNqGHA.4924@TK2MSFTNGP04.phx.gbl... > "winsysadmin" <winsysad***@discussions.microsoft.com> wrote in message > news:78C4228A-D491-4D15-BFFB-96213F87D022@microsoft.com... > > Will installing Urlscan on IIS 4 & IIS 5 servers protect them from > > Trace/Track vulnerabilities by default or do I need to configure Urlscan > > to > > do this? > > I don't think there is one single default. I believe there are several, > ones for OWA on Exchange server, etc., so that you could get different > default settings depending on how you install URLScan. > > After installing urlscan, edit the urlscan.ini and read the sections on > [blockverbs] and [allowverbs]. Only one of those two sections is active at > a time, depending on the UseAllowVerbs setting in that file. > > http://support.microsoft.com/Default.aspx?kbid=326444 > http://securityadmin.info/faq.asp?urlscan > > According to the first article above, it appears that AllowVerbs is the > default. So if Trace and Track are not in the AllowVerbs section, and I > expect that they would probably not be, > > Trace and Track are largely theoretical vulnerabilities. Unless there is a > known unpatched exploit against them, and I'm not sure there are any at the > moment, they usually only give a small amount of information, not remote > compromise of the server. > > -- > kind regards, > Karl Levinson, CISSP, CCSA, MCSE [MS MVP] > -------------------------------- > Microsoft Security FAQ: > http://securityadmin.info > > 
Other interesting topics
Supressing Public ASP Error Codes
AD & ADAM together in harmony IIS passing server credentials rather than user credentials Getting Ip address of the actual client Flaw in default permissions Web Server Type Problem with Anonymous Access 404 errors on downloading files Secure SFTP Server Basic Authentication for only one special user |
|||||||||||||||||||||||
