how do i make URLSCAN deny HTTP TRACE requests?

If you downloaded URLScan, it should also have some template INI file that
illustrate a secure default configuration. IIS Lockdown Wizard also allows
the selection and customization of some template INI files. All these
things have KB articles that explain how to create/configure the INI files,
so search for them.

There is one potential issue with having URLScan deny TRACE/TRACK verbs --
namely, if you alse use a customized RejectResponseUrl, IIS will end up
sending the contents of that URL, unexecuted, to the browser, when a
TRACE/TRACK request is made and rejected. What we recommend is for users to
not use a customized RejectResponseUrl if they deny TRACE/TRACK since none
of this is default configuration. I think there is a KB out on this as
well.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ken Schaefer" <kenREMOVE RemoveThis @THISadOpenStatic.com> wrote in message
news:eihLQEU5DHA.1816@TK2MSFTNGP12.phx.gbl...
Um, the first section say:

UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use
[DenyVerbs] section

Then, below that there is an AllowVerbs section and a DenyVerbs section. If
you are using AllowVerbs, do not put TRACE in there. If you are using
DenyVerbs, then put TRACE in there.

Cheers
Ken



"Paul Kavanagh" <pkavanagh RemoveThis @ntlworld.com> wrote in message
news:OGLKgxS5DHA.1504@TK2MSFTNGP12.phx.gbl...
: Did a security audit on my Outlook Web Access server today and one of the
: high risk vulnerabilities found claimed I should use URLSCAN to deny HTTP
: TRACE requests. How do I do this? I've downloaded urltrace but I can't
make
: head nor tail of it - seems to be an .ini file needs editing, but what do
i
: put in??
:
: Thanks in advance,
:
: Paul.
:
:
 >> Stay informed about: how do i make URLSCAN deny HTTP TRACE requests? 

"Ken Schaefer" <kenREMOVE.DeleteThis@THISadOpenStatic.com> wrote in
news:eihLQEU5DHA.1816@TK2MSFTNGP12.phx.gbl:

 > Um, the first section says:
 >
 > UseAllowVerbs=1
 > ; if 1, use [AllowVerbs] section,
 > ; else use [DenyVerbs] section
 >
 > Then, below that there is an AllowVerbs section and a DenyVerbs
 > section. If you are using AllowVerbs, do not put TRACE in there. If
 > you are using DenyVerbs, then put TRACE in there.


Then somehow restart URLSCAN. I'm not convinced that URLSCAN rescans the
INI file at any other time than when starting. The only way I've found to
restart URLSCAN is to restart IIS Services. Maybe there's a better way.


--
Remove INVALID from e-mail address.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: how do i make URLSCAN deny HTTP TRACE requests? 

Yes, after you save the urlscan.ini file, you need to restart IIS to reload
the ini settings.

--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"Brian Smither" <bsmitherINVALID RemoveThis @INVALIDcitlink.net> ????
news:Xns947DDB389189FSmithCon@66.133.130.30...
 > "Ken Schaefer" <kenREMOVE RemoveThis @THISadOpenStatic.com> wrote in
 > news:eihLQEU5DHA.1816@TK2MSFTNGP12.phx.gbl:
 >
  > > Um, the first section says:
  > >
  > > UseAllowVerbs=1
  > > ; if 1, use [AllowVerbs] section,
  > > ; else use [DenyVerbs] section
  > >
  > > Then, below that there is an AllowVerbs section and a DenyVerbs
  > > section. If you are using AllowVerbs, do not put TRACE in there. If
  > > you are using DenyVerbs, then put TRACE in there.
 >
 >
 > Then somehow restart URLSCAN. I'm not convinced that URLSCAN rescans the
 > INI file at any other time than when starting. The only way I've found to
 > restart URLSCAN is to restart IIS Services. Maybe there's a better way.
 >
 >
 > --
 > Remove INVALID from e-mail address.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: how do i make URLSCAN deny HTTP TRACE requests?