CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Microsoft provides an Internet Server Application Programming Interface (ISAPI) filter called URLScan, which is designed to examine incoming requests very early in the processing cycle, and to reject requests that are not deemed to be acceptable. URLScan was initially released with the IISLockDown tool. The IISLockDown tool, when run on Windows 2000 machines, disables a number of IIS features that were enabled by default, thus reducing the attack surface of IIS 5.0. There is no IISLockDown tool for IIS 6.0, as IIS 6.0 ships in a locked-down state.
URLScan is a security tool that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, the URLScan security tool helps prevent potentially harmful requests from reaching the server. URLScan v2.5 has been updated to work with IIS 6.0, and installs on servers running IIS 4.0 and later.
Many of the features of URLScan were absorbed into IIS 6.0. However, URLScan does offer a number of features that are not available with IIS 6.0, and also offers additional flexibility that is not available with IIS 6.0.
Microsoft provides information about URLScan capabilities at www.microsoft.com/technet/security/tools/urlscan.mspx. Included is a comparison between URLScan s capabilities and IIS 6.0 native capabilities to help evaluate whether URLScan is appropriate for your server.
URLScan can be downloaded from www.microsoft.com/technet/security/tools/urlscan.mspx. To install URLScan, run the setup.exe file. To uninstall it at any time, use the Add/Remove Programs Control Panel. Once URLScan is installed, you can configure its settings by...