Note: URLScan is a security tool that restricts the types of HTTP requests that IIS will process.
[options]
UseAllowVerbs=1 ; If 1, use [AllowVerbs] section, else use the
; [DenyVerbs] section.
UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else use
; the [DenyExtensions] section.
NormalizeUrlBeforeScan=1 ; If 1, canonicalize URL before processing.
VerifyNormalization=0 ; If 1, canonicalize URL twice and reject request
; if a change occurs.
AllowHighBitCharacters=0 ; If 1, allow high bit (ie. UTF8 or MBCS)
; characters in URL.
AllowDotInPath=1 ; If 1, allow dots that are not file extensions.
RemoveServerHeader=1 ; If 1, remove the 'Server' header from response.
EnableLogging=1 ; If 1, log UrlScan activity.
PerProcessLogging=0 ; If 1, the UrlScan.log filename will contain a PID
; (ie. UrlScan.123.log).
AllowLateScanning=0 ; If 1, then UrlScan will load as a low priority
; filter.
PerDayLogging=1 ; If 1, UrlScan will produce a new log each day with
; activity in the form 'UrlScan.010101.log'.
UseFastPathReject=0 ; If 1, then UrlScan will not use the
; RejectResponseUrl or allow IIS to log the request.
LogLongUrls=1 ; If 1, then up to 128K per request can be logged.
; If 0, then only 1k is allowed.
;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/' will be used.
;
RejectResponseUrl=
;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;
;LoggingDirectory=C:\Windows\system32\inetsrv\urlscan\logs
LoggingDirectory=E:\LogFiles\urlscan\logs
;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;
AlternateServerName=
[RequestLimits]
;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
; Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0'). Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
;
; - MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;
; - MaxQueryString specifies the maximum length of the query
; string. The default is 2048.
;
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048
[AllowVerbs]
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
[DenyHeaders]
;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Lock-Token:
Transfer-Encoding:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.htm
.html
.txt
.jpg
.jpeg
.gif
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings. If you wish to enable ASP, remove the
; following extensions from this list:
; .asp
; .cer
; .cdx
; .asa
;
; Deny ASP requests
;.asp
;.cer
;.cdx
;.asa
; Deny executables that could run on the server
;.exe
.bat
.cmd
.com
; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
[DenyUrlSequences]
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
;% ; Don't allow escaping after normalization
;& ; Don't allow multiple CGI processes to run on a single request
References
==========
[1] http://www.microsoft.com/technet/security/tools/urlscan.mspx