In case you are or planning to use URL Scan on top of IIS server which is part of your TFS deployment. Here is a sample UrlScanConfig file that I have used (things in yellow deserve a look):
UseAllowVerbs=0 ; If 1, use [AllowVerbs] section, else use the ; [DenyVerbs] section. The default is 1.
UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else ; use the [DenyExtensions] section. The ; default is 0.
NormalizeUrlBeforeScan=1 ; If 1, canonicalize URL before processing. ; The default is 1. Note that setting this ; to 0 will make checks based on extensions, ; and the URL unreliable and is therefore not ; recommend other than for testing.
VerifyNormalization=1 ; If 1, canonicalize URL twice and reject ; request if a change occurs. The default ; is 1.
AllowHighBitCharacters=0 ; If 1, allow high bit (ie. UTF8 or MBCS) ; characters in URL. The default is 0.
AllowDotInPath=1 ; If 1, allow dots that are not file ; extensions. The default is 0. Note that ; setting this property to 1 will make checks ; based on extensions unreliable and is ; therefore not recommended other than for ; testing.
RemoveServerHeader=0 ; If 1, remove the 'Server' header from ; response. The default is 0.
;**Note setting RemoveServerHeader to 1 will cause the Team Project Creation fail with 400 bad request error while uploading files to WSS document list libraries
EnableLogging=1 ; If 1, log UrlScan activity. The ; default is 1. Changes to this property ; will not take effect until UrlScan is ; restarted.
PerProcessLogging=0 ; This property is deprecated for UrlScan ; 3.0 and later. UrlScan 3.0 and later can ; safely log output from multiple processes ; to the same log file. Changes to this ; property will not take effect until ; UrlScan is restarted.
AllowLateScanning=0 ; If 1, then UrlScan will load as a low ; priority filter. The default is 0. Note ; that this setting should only be used in ; the case where there another installed ; filter is modifying the URL and you wish ; to have UrlScan apply its rules to the ; rewritten URL. Changes to this property ; will not take effect until UrlScan is ; restarted.
PerDayLogging=1 ; If 1, UrlScan will produce a new log each ; day with activity in the form ; 'UrlScan.010101.log'. If 0, UrlScan will ; log activity to urlscan.log. The default ; is 1. Changes to this setting will not ; take effect until UrlScan is restarted.
UseFastPathReject=0 ; If 1, then UrlScan will not use the ; RejectResponseUrl. On IIS versions less ; than 6.0, this will also prevent IIS ; from writing rejected requests to the ; W3SVC log. UrlScan will log rejected ; requests regardless of this setting. The ; default is 0.
LogLongUrls=0 ; This property is deprecated for UrlScan 3.0 ; and later. UrlScan 3.0 and later will ; always include the complete URL in its log ; file.
UnescapeQueryString=1 ; If 1, UrlScan will perform two passes on ; each query string scan, once with the raw ; query string and once after unescaping it. ; If 0, UrlScan will only look at the raw ; query string as sent by the client. The ; default is 1. Note that if this property is ; set to 0, then checks based on the query ; string will be unreliable.
;; If UseFastPathReject is 0, then UrlScan will send; rejected requests to the URL specified by RejectResponseUrl.; If not specified, '/Rejected-by-UrlScan' will be used.; Changes to this setting will not take effect until UrlScan; is restarted.;; Note that setting "RejectResponseUrl=/~*" will put UrlScan into Logging; Only Mode. In this mode, UrlScan will process all requests per the; config settings, but it will only log the results and not actually; reject the requests. This mode is useful for testing UrlScan settings; on a production server without actually interrupting requests.;
;; LoggingDirectory can be used to specify the directory where the; log file will be created. This value should be the absolute path; (ie. c:\some\path). If not specified, then UrlScan will create; the log in the same directory where the UrlScan.dll file is located.; Changes to this setting will not take effect until UrlScan is; restarted.;
;; If RemoveServerHeader is 0, then AlternateServerName can be; used to specify a replacement for IIS's built in 'Server' header;
;; UrlScan supports custom rules that can be applied in addition to the other; checks and options specified in this configuration file. Rules should be; listed in a comma separated string in the RuleList property. Each rule in; the list corresponds to two sections in this configuration file, one; containing the options for the rule, and one containing deny strings for; the rule.;; Here is an example:;; [Options]; RuleList=Rule1;; [Rule1]; AppliesTo=.exe,.dll ; A comma separated list of file extensions to; ; which the rule applies. If not specified,; ; the rule will be applied to all requests.;; DenyDataSection=Rule1 Data ; The name of the section containing the; ; rule's deny strings;; ScanURL=0 ; If 1, the URL will be scanned for deny; ; strings. The default is 0.;; ScanAllRaw=0 ; If 1, then the raw request header data will; ; be scanned for deny strings. The default; ; is 0.;; ScanQueryString=0 ; If 1, the the query string will be scanned; ; for deny strings. The default is 0. Note; ; that if UnescapeQueryString=1 is set in the; ; [Options] section, then two scans will be; ; made of the query string, one with the raw; ; query string and one with the query string; ; unescaped.;; ScanHeaders= ; A comma separated list of request headers to; ; be scanned for deny strings. The default is; ; no headers.;; DenyUnescapedPercent=0 ; If 1, UrlScan will scan the specified part; ; of the raw request for a % character that is; ; not used as an escape sequence. If found,; ; the request will be rejected. This check; ; can be used with ScanQueryString=1,; ; ScanAllRaw=1, or the list of ScanHeaders.; ; The default is 0. Note that if you want to; ; deny non-escaped % characters in the URL,; ; you can set VerifyNormalization=0 in the; ; [Options] section and then add % as a; ; [DenyUrlSequences] entry.;; [Rule1 data]; string1; string2;
;; The entries in this section impose limits on the length; of allowed parts of requests reaching the server.;; It is possible to impose a limit on the length of the; value of a specific request header by prepending "Max-" to the; name of the header. For example, the following entry would; impose a limit of 100 bytes to the value of the; 'Content-Type' header:;; Max-Content-Type=100;; Any headers not listed in this section will not be checked for; length limits.;; There are 3 special case limits:;; - MaxAllowedContentLength specifies the maximum allowed; numeric value of the Content-Length request header. For; example, setting this to 1000 would cause any request; with a content length that exceeds 1000 to be rejected.; The default is 30000000.;; - MaxUrl specifies the maximum length of the request URL,; not including the query string. The default is 260 (which; is equivalent to MAX_PATH).;; - MaxQueryString specifies the maximum length of the query; string. The default is 2048.;
;; The verbs (aka HTTP methods) listed here are those commonly; processed by a typical IIS server.;; Note that these entries are effective if "UseAllowVerbs=1"; is set in the [Options] section above.;
;; The verbs (aka HTTP methods) listed here are used for publishing; content to an IIS server via WebDAV.;; Note that these entries are effective if "UseAllowVerbs=0"; is set in the [Options] section above.;
;; The following request headers alter processing of a; request by causing the server to process the request; as if it were intended to be a WebDAV request, instead; of a request to retrieve a resource.;
;; Extensions listed here are commonly used on a typical IIS server.;; Note that these entries are effective if "UseAllowExtensions=1"; is set in the [Options] section above.;
;; Extensions listed here either run code directly on the server,; are processed as scripts, or are static files that are; generally not intended to be served out.;; Note that these entries are effective if "UseAllowExtensions=0"; is set in the [Options] section above.;; Also note that ASP scripts are denied with the below; settings. If you wish to enable ASP, remove the; following extensions from this list:; .asp; .cer; .cdx; .asa;
; Deny executables that could run on the server.exe.bat.cmd.com
; Deny infrequently used scripts.htw ; Maps to webhits.dll, part of Index Server.ida ; Maps to idq.dll, part of Index Server.idq ; Maps to idq.dll, part of Index Server.htr ; Maps to ism.dll, a legacy administrative tool.idc ; Maps to httpodbc.dll, a legacy database access tool.shtm ; Maps to ssinc.dll, for Server Side Includes.shtml ; Maps to ssinc.dll, for Server Side Includes.stm ; Maps to ssinc.dll, for Server Side Includes.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files.ini ; Configuration files.log ; Log files.pol ; Policy files.dat ; Configuration files.config ; Configuration files
[AlwaysAllowedUrls];; URLs listed here will always be explicitly allowed by UrlScan; and will bypass all UrlScan checks. URLs must be listed; with a leading '/' character. For example:;; /SampleURL.htm;
[DenyUrlSequences];; If any character sequences listed here appear in the URL for; any request, that request will be rejected.;
.. ; Don't allow directory traversals./ ; Don't allow trailing dot on a directory name\ ; Don't allow backslashes in URL: ; Don't allow alternate stream access% ; Don't allow escaping after normalization& ; Don't allow multiple CGI processes to run on a single request
[AlwaysAllowedQueryStrings];; Query strings listed here will always be explicitly allowed by; UrlScan and will bypass all query string based checks.;
[DenyQueryStringSequences];; If any character sequences listed here appear in the query; string for any request, that request will be rejected.;
< ; Commonly used by script injection attacks> ; Commonly used by script injection attacks