Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 815155 - Last Review: July 3, 2008 - Revision: 6.4
How to configure URLScan to protect ASP.NET Web applications
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
For more information about IIS 7.0, visit the following Microsoft Web site:
This step-by-step article describes how to configure
the URLScan security tool to protect ASP.NET Web applications.
URLScan is an Internet
Server API (ISAPI) filter that screens and
monitors HTTP requests for Internet Information Server
4.0, Internet Information Services 5.0, and Internet Information Services 5.1 (IIS). URLScan is used to reduce the exposure of IIS to potential Internet attacks.
By default, URLScan
does not make special accommodations for file name extensions that ASP.NET
Web applications use. You can change the URLScan configuration to add an extra
layer of security for these applications. You must disable or enable different file name extensions for application level tracing, XML Web services, and remoting.
back to the
topConfigure URLScan
To configure
URLScan to enable standard ASP.NET file name extensions that users may requested, follow these steps:
- Install the URLScan tool. For information and instructions, visit the following Microsoft Web site:
- Open the Urlscan.ini file in a text editor (such as Notepad). This file is located in the \System Root\System32\Inetsrv\Urlscan\ folder.
- In the [AllowExtensions] section, add the following file name extensions:
- In the [DenyExtensions] section, add the following file name extensions:
- .asax
- .ascx
- .config
- .cs
- .csproj
- .dll
- .licx
- .pdb
- .resx
- .resources
- .vb
- .vbproj
- .vsdisco
- .webinfo
- .xsd
- .xsx
- To turn on application level tracing, add the .axd file name extension to the [AllowExtensions] section. If you do not want to turn on application level tracing, add .axd to the [DenyExtensions] section.
- To allow Web services, add the .asmx file name extension to the [AllowExtensions] section. If you do not want to allow Web services, add .asmx to the [DenyExtensions] section.
- To turn on remoting, add the .rem file name extension and the .soap file name extension to the [AllowExtensions] section. If you do not want to turn on remoting, add .rem and .soap to the [DenyExtensions] section.
- Save and then close the Urlscan.ini file. You must restart IIS for the changes to take effect.
Note These steps are designed to offer optimal protection, regardless of whether the
UseAllowVerbs setting is turned on in URLScan.
back to the top
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736Â
(http://kbalertz.com/Feedback.aspx?kbNumber=315736/
)
How to secure an ASP.NET application by using Windows
Security
315588Â
(http://kbalertz.com/Feedback.aspx?kbNumber=315588/
)
How to secure an ASP.NET application using client-side certificates
818014Â
(http://kbalertz.com/Feedback.aspx?kbNumber=818014/
)
How to secure applications that are built on the .NET Framework
back to the top
APPLIES TO
- Microsoft ASP.NET 1.0
- Microsoft Internet Information Services version 5.1
- Microsoft Internet Information Server 4.0
- Microsoft ASP.NET 1.1
| kbscan kbsecurity kbconfig kbweb kbhowtomaster KB815155 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please