*sigh* I found the answer moments after posting to the list. Here is the answer if anybody ever runs into this: To enable or disable URL Scanning 1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Extensions, and then click Web Filters. 2. In the details pane, right-click the Web filter named URLScan Filter and then: o To enable the filter, click Enable. o To disable the filter, click Disable. 3. Review the URLScan.ini file, located in the ISA Server installation folder. 4. If necessary, overwrite URLScan.ini with one of these configuration file: o URLScan_owa.ini. This configuration file is optimized to help securely publish Microsoft(r) Exchange Outlook(r) Web Access (OWA) servers. o URLScan_iis.ini. This configuration file is useful for standard IIS Server publishing. 5. Restart the Web Proxy service (w3proxy) to apply the changes. Notes * To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management. Turns out there is a help file for URLScan in the install directory for ISA. Pardon the interruption, Matt -----Original Message----- From: Bailey, Matthew Sent: Tuesday, October 07, 2003 10:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Server HTTP Trace Method Support Cross Site Tracing Vulnerability http://www.ISAserver.org It seems to be OWA day on the list. I am back with this problem. Since running the URLScan from feature pack 1, I am getting a lot of "page cannot be displayed" when accessing certain messages. From the URLScan logs the problem seems to be these settings in the URLScan.ini: [DenyUrlSequences] .. ; Don't allow directory traversals % ; Don't allow escaping after normalization I already know that I need to change the .. to ../ according to a KB article. I am also seeing the % causing problems so I want to comment that out. Here is my problem: How do I rerun URLScan on ISA? The first time I used isafp1ur.exe to run URLScan but I am not sure where it installed it and how to rerun it. The log files are in ISA installation directory and so are three ini files (urlscan.ini, urlscan_iis.ini, and urlscan_owa.ini). Not sure which one it is using to configure URLScan or how to re-run with an update ini file. When I re-launch isafp1ur.exe, it wants to reinstall it and doesn't give me the option to specify an ini. Thanks, Matt -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, October 01, 2003 8:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Server HTTP Trace Method Support Cross Site Tracing Vulnerability http://www.ISAserver.org ISA supports URLScan with the templates supplied in the download. Bear in mind that you can use the IIS-sourced download of URLScan IF it's version 2.5. Remember that any vulnerability assessment is only as good as the latest update to the tool itself. If you've installed the latest patches and fixes delivered by MS, then that "result" sounds like a false positive. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Bailey, Matthew" <MBailey@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, October 01, 2003 08:22 Subject: [isalist] Web Server HTTP Trace Method Support Cross Site Tracing Vulnerability http://www.ISAserver.org We are in the process of assessing any vulnerabilities on our external facing interfaces. I currently have OWA published through our ISA server and a scan of the external IP reveals the follow vulnerability: Web Server HTTP Trace Method Support Cross Site Tracing Vulnerability Details: A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Solution for IIS: Microsoft IIS: Microsoft released URLScan, which can be used to screen all incoming requests based on customized rulesets. URLScan can be used to sanitize or disable the TRACE requests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore, if URLScan is used to specfically block the TRACE method, the TRACK method should also be added to the filter. URLScan uses the 'urlscan.ini' configuration file, usually in \System32\InetSrv\URLScan directory. In that, we have two sections - AllowVerbs and DenyVerbs. The former is used if the UseAllowVerbs variable is set to 1, else (if its set to 0), the DenyVerbs are used. Clearly, either can be used, depending on whether we want a Default-Deny-Explicit-Allow or a Default-Allow-Explicit-Deny policy. To disallow TRACE and TRACK methods through URLScan, first remove 'TRACK', 'TRACE' methods from the 'AllowVerbs' section and add them to the 'DenyVerbs' section. With this, URLScan will disallow all 'TRACE' and 'TRACK' methods, and generate an error page for all requests using that method. To enable the changes, restart the 'World Wide Web Publishing Service' from the 'Services' Control Panel item. So, I have run URLScan on the server that is running OWA with the settings recommended by the above article and the settings recommended by MS for an OWA server. However, it didn't close the vulnerability. I am wondering if the actual vulnerability is from the ISA server since OWA is published through it. Here are my questions: Is it possible that the vulnerability is on ISA and NOT on OWA? Can I run URLScan on the ISA server? And will it have any actual effect since IIS isn't even running. Will it break ISA? This is driving me nuts and any help would be appreciated, - Matt Matthew Bailey LAN Engineer CSK Auto, Inc. Voice: 602.631.7486 Fax: 602.294.7486 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mbailey@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mbailey@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')