DOCUMENT:Q313131 26-JUL-2002 [exchange] TITLE :HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange PRODUCT :Microsoft Exchange PROD/VER::5.5 OPER/SYS: KEYWORDS:kbAudITPro kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Exchange Server, version 5.5 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Configure URLScan.ini to Support Outlook Web Access - Troubleshooting SUMMARY ======= This article explains how IIS administrators can use the URLScan tool to secure their Web servers against a variety of known and unknown attacks. The URLScan ISAPI filter screens inbound requests to the Web server. The filter uses rules (configured by the administrator) to block requests that contain potentially dangerous strings that could compromise a Web server. The URLScan.ini file includes the default URLScan settings. These default settings assume that the Web server serves static Web pages such as HTML files and images and also ASP pages. Features that are not supported by the default URLScan.ini configuration file include: - Outlook Web Access (OWA) - Front Page Server Extensions - WebDAV - Microsoft Index Server - Internet Printing Protocol - Server-Side Includes Configure URLScan.ini to Support Outlook Web Access --------------------------------------------------- After you install the URLScan tool and configure the tool on an Outlook Web Access (OWA) server, mail, calendar, and contact items may not appear. To restore OWA functionality, you must configure the URLScan.ini file to support OWA: 1. Start Windows Explorer, and then browse to %SystemRoot%\System32\Inetsrv\Urlscan. 2. Right-click the URLScan.ini file, and then click Open. 3. If the Open With dialog box appears, click Notepad, and then click OK. 4. Configure the URLScan.ini file to include the following entries: [Options] UseAllowVerbs=1 UseAllowExtensions=0 NormalizeUrlBeforeScan=1 VerifyNormalization=1 AllowHighBitCharacters=1 AllowDotInPath=1 RemoveServerHeader=0 EnableLogging=1 PerProcessLogging=0 AllowLateScanning=0 [AllowVerbs] GET POST SEARCH POLL PROPFIND BMOVE BCOPY SUBSCRIBE MOVE PROPPATCH BPROPPATCH DELETE BDELETE MKCOL [DenyVerbs] ; Deny verbs are empty when supporting OWA [DenyHeaders] ; the Translate header is removed from the default settings If: Lock-Token: ;[AllowExtensions] ; Remove or comment out the AllowExtensions section [DenyExtensions] ; remove the .htr extension to support Change Password functionality .asp .cer .cdx .asa .exe .bat .cmd .com .htw .ida .idq .htr .idc .shtm .shtml .stm .printer .ini .log .pol .dat [DenyUrlSequences] .. ./ \ % & Troubleshooting --------------- It is vitally important that you update your Web servers with the latest security patches. This is even more important if you need to use any of the features in the preceding list. You can find the most recent security patches at the following Microsoft Web site: www.microsoft.com/technet/security Additional query words: ====================================================================== Keywords : kbAudITPro kbHOWTOmaster Technology : kbZNotKeyword6 kbExchangeSearch kbExchange550 kbExchangeClientSearch kbZNotKeyword2 Version : :5.5 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.