1. URLSCAN – it’s back James Leinweber Hygiene Lab / UW-MIST

2. 2 on-again, off-again request filtering is also available for Microsoft Internet Information Server –the official Microsoft tool is URLSCAN created for IIS 4 –which had a terrible security record many URLSCAN capabilities were bundled into IIS6, making it less interesting then now SQL injection risks have brought it back as a defense-in-depth option –latest version 3.1 installs into IIS 5,6,7 –PCI-DSS checklist item

3. 3 about URLSCAN instantiated by an ISAPI filter DLL typically installed with highest priority, so it can reject malformed requests before anything else tries to process them –you can substitute your own response for the 404 if you need to URLSCAN.INI file is heavily commented –this is most of the documentation, alas

4. 4 new in URLSCAN 3.1 W3C logging style available site-specific installs –now they can have different URLSCAN configurations if one global one won’t suffice AlwaysAllowed* options and sections can override your complicated deny’s Escape sequences can match non-printable characters Add your own sections with RuleList= –allows different behaviors for different page types

5. 5 try the oversimplified exercise world’s wimpiest IIS web site has two static pages we’ll block the second one using a URL substring goals are –to modify the INI file –read the log file after a block –see where the plugin hooks into the IIS configuration