Back in April there were reports that surfaced stating that web sites running on Internet Information Services (IIS) had been compromised by an automated attack that used vulnerabilities in web pages that did not follow security for best practices. These websites were taken advantage of via SQL injection attacks. While the only way to completely prevent SQL injection attacks is by following proper development best practices, URL Scan 3.0 is an updated IIS feature that will allow server administrators to help mitigate SQL injection attacks until the web application can be updated to protect against SQL injection. This post will provide more details on the latest version of this technology.
URL Scan 3.0
Who’s it for? IT Professionals and Website Administrators.
When does it ship? URL Scan 3.0 was released to the Web on 8/21/08 and can be downloaded from the following locations:
· 32 Bit: http://www.iis.net/go/1697
· 64 Bit: http://www.iis.net/go/1698
(Wow looking at those nice clean URL’s makes me want to post about another new IIS feature. I guess more on that later.)
What does it do? When installed and configured on a server running IIS 5.1 or higher, URLScan can scan incoming http requests and if the request contains content that is undesirable (like a SQL injection attack), that request can be rejected. By filtering these requests, URLScan helps prevent unwanted requests from potentially damaging the web application or even the web server.
How is URLScan different than the request filtering module that ships with IIS 7? The request filtering module does not have the ability to filter based on query strings like URLScan 3.0 does. Also you cannot specify rules applying to multiple parts of an HTTP request.
So didn’t URLScan exist before? Yes. URLScan 2.5 was originally released as part of the IIS Lockdown Tool and if you are using URLSCan 2.5, you can use your existing configuration file with URLScan 3.0 and everything will function fine. Plus you get the added URLScan 3.0 features!
What are the new URLScan 3.0 features? While the configuration format of URLScan 3.0 is the same as it’s predecessor, there are a number of new sections in the configuration to support the following new features:
· Deny rules can be independently applied to a query string, all headers, a particular header, a URL or a combination of the above.
· Configuration change notifications are propagated to the IIS worker processes so configuration changes don’t require worker process restarts.
· The global DENYQUERYSTRING section of the configuration file allows you to add deny rules for query strings and include an option to check the un-escaped version of the query string.
· The global ALWAYSALLOWEDQUERYSTRINGS section allows for the specification of safe query strings that will bypass all query string checks. (This feature was not in the previously released URLScan 3.0 beta).
· Descriptive configuration errors are now available in W3C formatted logging. This feature was also not available in the beta.
· Escape sequences like (%0A%0D) can now be used in deny rules allowing to deny CTRLF and other sequences involving non-printable characters.
How can URLScan be setup? URLScan can be setup up either as a global filter or a site level filter. A global filter is triggered for every HTTP request sent to the server. Site level filters are only invoked for HTTP requests sent to particular sites on a IIS server. Starting with URLScan 3.0 site filters can be used in conjunction with global filters.