[options] UseAllowVerbs=0 ; If 1, use [AllowVerbs] section, else use the ; [DenyVerbs] section. The default is 1. UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else ; use the [DenyExtensions] section. The ; default is 0. NormalizeUrlBeforeScan=0 ; If 1, canonicalize URL before processing. ; The default is 1. Note that setting this ; to 0 will make checks based on extensions, ; and the URL unreliable and is therefore not ; recommend other than for testing. VerifyNormalization=0 ; If 1, canonicalize URL twice and reject ; request if a change occurs. The default ; is 1. AllowHighBitCharacters=1 ; If 1, allow high bit (ie. UTF8 or MBCS) ; characters in URL. The default is 0. AllowDotInPath=1 ; If 1, allow dots that are not file ; extensions. The default is 0. Note that ; setting this property to 1 will make checks ; based on extensions unreliable and is ; therefore not recommended other than for ; testing. RemoveServerHeader=1 ; If 1, remove the 'Server' header from ; response. The default is 0. EnableLogging=0 ; If 1, log UrlScan activity. The ; default is 1. Changes to this property ; will not take effect until UrlScan is ; restarted. PerProcessLogging=0 ; This property is deprecated for UrlScan ; 3.0 and later. UrlScan 3.0 and later can ; safely log output from multiple processes ; to the same log file. Changes to this ; property will not take effect until ; UrlScan is restarted. AllowLateScanning=0 ; If 1, then UrlScan will load as a low ; priority filter. The default is 0. Note ; that this setting should only be used in ; the case where there another installed ; filter is modifying the URL and you wish ; to have UrlScan apply its rules to the ; rewritten URL. Changes to this property ; will not take effect until UrlScan is ; restarted. PerDayLogging=0 ; If 1, UrlScan will produce a new log each ; day with activity in the form ; 'UrlScan.010101.log'. If 0, UrlScan will ; log activity to urlscan.log. The default ; is 1. Changes to this setting will not ; take effect until UrlScan is restarted. UseFastPathReject=0 ; If 1, then UrlScan will not use the ; RejectResponseUrl. On IIS versions less ; than 6.0, this will also prevent IIS ; from writing rejected requests to the ; W3SVC log. UrlScan will log rejected ; requests regardless of this setting. The ; default is 0. LogLongUrls=0 ; This property is deprecated for UrlScan 3.0 ; and later. UrlScan 3.0 and later will ; always include the complete URL in its log ; file. UnescapeQueryString=0 ; If 1, UrlScan will perform two passes on ; each query string scan, once with the raw ; query string and once after unescaping it. ; If 0, UrlScan will only look at the raw ; query string as sent by the client. The ; default is 1. Note that if this property is ; set to 0, then checks based on the query ; string will be unreliable. ; ; If UseFastPathReject is 0, then UrlScan will send ; rejected requests to the URL specified by RejectResponseUrl. ; If not specified, '/Rejected-by-UrlScan' will be used. ; Changes to this setting will not take effect until UrlScan ; is restarted. ; ; Note that setting "RejectResponseUrl=/~*" will put UrlScan into Logging ; Only Mode. In this mode, UrlScan will process all requests per the ; config settings, but it will only log the results and not actually ; reject the requests. This mode is useful for testing UrlScan settings ; on a production server without actually interrupting requests. ; RejectResponseUrl= ; ; LoggingDirectory can be used to specify the directory where the ; log file will be created. This value should be the absolute path ; (ie. c:\some\path). If not specified, then UrlScan will create ; the log in the same directory where the UrlScan.dll file is located. ; Changes to this setting will not take effect until UrlScan is ; restarted. ; LoggingDirectory=Logs ; ; If RemoveServerHeader is 0, then AlternateServerName can be ; used to specify a replacement for IIS's built in 'Server' header ; AlternateServerName= ; ; UrlScan supports custom rules that can be applied in addition to the other ; checks and options specified in this configuration file. Rules should be ; listed in a comma separated string in the RuleList property. Each rule in ; the list corresponds to two sections in this configuration file, one ; containing the options for the rule, and one containing deny strings for ; the rule. ; ; Here is an example: ; ; [Options] ; RuleList=Rule1 ; ; [Rule1] ; AppliesTo=.exe,.dll ; A comma separated list of file extensions to ; ; which the rule applies. If not specified, ; ; the rule will be applied to all requests. ; ; DenyDataSection=Rule1 Data ; The name of the section containing the ; ; rule's deny strings ; ; ScanURL=0 ; If 1, the URL will be scanned for deny ; ; strings. The default is 0. ; ; ScanAllRaw=0 ; If 1, then the raw request header data will ; ; be scanned for deny strings. The default ; ; is 0. ; ; ScanQueryString=0 ; If 1, the the query string will be scanned ; ; for deny strings. The default is 0. Note ; ; that if UnescapeQueryString=1 is set in the ; ; [Options] section, then two scans will be ; ; made of the query string, one with the raw ; ; query string and one with the query string ; ; unescaped. ; ; ScanHeaders= ; A comma separated list of request headers to ; ; be scanned for deny strings. The default is ; ; no headers. ; ; DenyUnescapedPercent=0 ; If 1, UrlScan will scan the specified part ; ; of the raw request for a % character that is ; ; not used as an escape sequence. If found, ; ; the request will be rejected. This check ; ; can be used with ScanQueryString=1, ; ; ScanAllRaw=1, or the list of ScanHeaders. ; ; The default is 0. Note that if you want to ; ; deny non-escaped % characters in the URL, ; ; you can set VerifyNormalization=0 in the ; ; [Options] section and then add % as a ; ; [DenyUrlSequences] entry. ; ; [Rule1 data] ; string1 ; string2 ; RuleList= [RequestLimits] ; ; The entries in this section impose limits on the length ; of allowed parts of requests reaching the server. ; ; It is possible to impose a limit on the length of the ; value of a specific request header by prepending "Max-" to the ; name of the header. For example, the following entry would ; impose a limit of 100 bytes to the value of the ; 'Content-Type' header: ; ; Max-Content-Type=100 ; ; Any headers not listed in this section will not be checked for ; length limits. ; ; There are 3 special case limits: ; ; - MaxAllowedContentLength specifies the maximum allowed ; numeric value of the Content-Length request header. For ; example, setting this to 1000 would cause any request ; with a content length that exceeds 1000 to be rejected. ; The default is 30000000. ; ; - MaxUrl specifies the maximum length of the request URL, ; not including the query string. The default is 260 (which ; is equivalent to MAX_PATH). ; ; - MaxQueryString specifies the maximum length of the query ; string. The default is 2048. ; ;MaxAllowedContentLength=30000000 ;MaxUrl=260 ;MaxQueryString=2048 [AllowVerbs] ; ; The verbs (aka HTTP methods) listed here are those commonly ; processed by a typical IIS server. ; ; Note that these entries are effective if "UseAllowVerbs=1" ; is set in the [Options] section above. ; GET HEAD POST [DenyVerbs] ; ; The verbs (aka HTTP methods) listed here are used for publishing ; content to an IIS server via WebDAV. ; ; Note that these entries are effective if "UseAllowVerbs=0" ; is set in the [Options] section above. ; ;PROPFIND ;PROPPATCH ;MKCOL ;DELETE ;PUT ;COPY ;MOVE ;LOCK ;UNLOCK ;OPTIONS ;SEARCH [DenyHeaders] ; ; The following request headers alter processing of a ; request by causing the server to process the request ; as if it were intended to be a WebDAV request, instead ; of a request to retrieve a resource. ; ;Translate: ;If: ;Lock-Token: ;Transfer-Encoding: [AllowExtensions] ; ; Extensions listed here are commonly used on a typical IIS server. ; ; Note that these entries are effective if "UseAllowExtensions=1" ; is set in the [Options] section above. ; .htm .html .txt .jpg .jpeg .gif [DenyExtensions] ; ; Extensions listed here either run code directly on the server, ; are processed as scripts, or are static files that are ; generally not intended to be served out. ; ; Note that these entries are effective if "UseAllowExtensions=0" ; is set in the [Options] section above. ; ; Also note that ASP scripts are denied with the below ; settings. If you wish to enable ASP, remove the ; following extensions from this list: ; .asp ; .cer ; .cdx ; .asa ; ; Deny executables that could run on the server ;.exe ;.bat ;.cmd ;.com ; Deny infrequently used scripts ;.htw ; Maps to webhits.dll, part of Index Server ;.ida ; Maps to idq.dll, part of Index Server ;.idq ; Maps to idq.dll, part of Index Server ;.htr ; Maps to ism.dll, a legacy administrative tool ;.idc ; Maps to httpodbc.dll, a legacy database access tool ;.shtm ; Maps to ssinc.dll, for Server Side Includes ;.shtml ; Maps to ssinc.dll, for Server Side Includes ;.stm ; Maps to ssinc.dll, for Server Side Includes ;.printer ; Maps to msw3prt.dll, for Internet Printing Services ; Deny various static files ;.ini ; Configuration files ;.log ; Log files ;.pol ; Policy files ;.dat ; Configuration files ;.config ; Configuration files [AlwaysAllowedUrls] ; ; URLs listed here will always be explicitly allowed by UrlScan ; and will bypass all UrlScan checks. URLs must be listed ; with a leading '/' character. For example: ; ; /SampleURL.htm ; [DenyUrlSequences] ; ; If any character sequences listed here appear in the URL for ; any request, that request will be rejected. ; ;.. ; Don't allow directory traversals ;./ ; Don't allow trailing dot on a directory name ;\ ; Don't allow backslashes in URL ;: ; Don't allow alternate stream access ;% ; Don't allow escaping after normalization ;& ; Don't allow multiple CGI processes to run on a single request [AlwaysAllowedQueryStrings] ; ; Query strings listed here will always be explicitly allowed by ; UrlScan and will bypass all query string based checks. ; [DenyQueryStringSequences] ; ; If any character sequences listed here appear in the query ; string for any request, that request will be rejected. ; ;< ; Commonly used by script injection attacks ;> ; Commonly used by script injection attacks