URLSCAN on IIS6 config

URLScan isn't rejecting it based on ".", it's rejecting the URL because you
required all URLs to have extensions (access to / is not counted as an
extension due to how URLScan interacts with IIS)

I suggest you reconsider the use of the "AllowExtensions" feature of URLScan
on IIS6 because it is not as good as the built-in support of IIS6.

See this URL for a comparison.
<a style='text-decoration: underline;' href="http://www.microsoft.com/technet/security/tools/urlscan.mspx" target="_blank">http://www.microsoft.com/technet/security/tools/urlscan.mspx</a>

On IIS6, Web Service Extensions allow you control of which binaries can
execute (and also the extensions that they are scriptmapped to). MIME Type
Restriction allow you control of which static file can be downloaded.

In other words, it is impossible to do the following things with URLScan,
but it is easy with IIS6's built-in support:
1. Allow only foo.exe to run but not bar.exe or any other EXE
2. Allow the default document (whatever its extension) to execute but not
allow an extension-less URL to be executed or downloaded
3. Allow URLs with dots in them to be browsable, yet still block particular
URLs with dots in them.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mike D" <anonymous.TakeThisOut@discussions.microsoft.com> wrote in message
news:184cb01c44a3f$c544ec00$a101280a@phx.gbl...
Looks like I need a "." in the allow extensions settings
for the default document to run.

Mike


 >-----Original Message-----
 >I am having some problems getting URLScan 2.5 running
 >properly on IIS6. I can't get the default doc to display
 >unless it is written out in the url. If I remove urlscan
 >from the server it is okay. The urlscan logs looks like
 >it is seeing a . in the url and rejecting the request
 >there is obviously no period in the url
 >
 >Help please
 >
 >Mike
 >
 >
 >http://ricweb3/default.asp output: Boo
 >
 >http://ricweb3/ output: The system cannot find the file
 >specified.
 >
 >code in default.asp
 ><%
 >response.write "Boo"
 >%>
 >
 >----------------------------------------------------
 >From urlscanlog:
 >[06-04-2004 - 09:08:20] Client at xxx.xxx.xxx.xxx: URL
 >contains extension '.', which is not specifically
allowed.
 >Request will be rejected. Site Instance='599050834', Raw
 >URL='/'
 >
 >
 >
 >------------------------------------------------
 >urlscan.ini settings
 >UseAllowExtensions=1
 >
 >[AllowExtensions]
 >;
 >; Extensions listed here are commonly used on a typical
 >IIS server.
 >;
 >; Note that these entries are effective
 >if "UseAllowExtensions=1"
 >; is set in the [Options] section above.
 >;
 >
 >..htm
 >..html
 >..txt
 >..jpg
 >..jpeg
 >..gif
 >..asp
 >------------------------------------------
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: URLSCAN on IIS6 config