Article ID: 823175 - View products that this article applies to.
This article describes how to fine-tune the types of requests that Internet Information Services (IIS) 4.0 and later processes. This article also describes known issues that may occur when you use the Urlscan 2.5 security tool in Microsoft Exchange Server 2003. You can use the Urlscan tool to restrict the types of requests that Internet Information Services (IIS) 4.0 and later processes. After you install the Urlscan 2.5 tool, you can make changes to fine-tune how IIS handles requests and to help enhance the security of your computer. Some of the changes that are described in this article depend on the Exchange 2003 computer's role. For example, if your Exchange 2003 computers are dedicated to providing only Microsoft Outlook Web Access (OWA), public folder administration, or Web folders, you can remove settings that are not required for those respective services.
During installation, the Urlscan tool assumes that multiple services are installed on a single Exchange Server 2003 computer. Therefore, to help enhance the security of the computer, you must edit the Urlscan.ini configuration file to remove any extraneous functionality. To customize the Urlscan.ini file for your particular Exchange 2003 computer role, you must remove verbs in the [AllowVerbs] section of the Urlscan.ini file. However, make sure that the recommended verbs for your computer's role are included to obtain appropriate functionality. If multiple Web-based features are required on a single computer, you must merge the appropriate [AllowVerbs] section requirements.
To edit the configuration file after you install the Urlscan tool, open the Urlscan.ini file. The Urlscan.ini file is located in the following folder on your Exchange Server 2003 computer:
WinDirWinDir\System32\Inetsrv\UrlscanNote To download the Urlscan 2.5 tool, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=23d18937-dd7e-4613-9928-7f94ef1c902aYou can modify the Urlscan.ini file based on the Exchange 2003 computer's role by using the information from the Exchange Server 2003 Urlscan template that is included in this article. If you want to use an existing Urlscan.ini file that you already modified for Exchange 2000, you can use your existing file. Change the file if you have to for your Exchange 2003 configuration.
Important After you modify the Urlscan.ini file, you must reset the IIS services. To do this, type IISRESET at a command prompt, and then press ENTER.
Exchange Server 2003 Urlscan template
; Exchange 2003 Urlscan configuration for OWA, Outlook Mobile Access, Exchange ActiveSync, ; remote procedure call over Hypertext Transfer Protocol, and Web Folders. ; Version 1.1 [options] ; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with URLScan installed may need to modify the "VerifyNormalization=1" ; option in this template to be "VerifyNormalization=0" if they encounter a "404" error when attempting to open messages or items that contain ; the "+" symbol in the subject or name. UseAllowExtensions=0 NormalizeUrlBeforeScan=1 VerifyNormalization=1 AllowHighBitCharacters=1 AllowDotInPath=1 RemoveServerHeader=0 EnableLogging=1 PerProcessLogging=0 AllowLateScanning=0 PerDayLogging=1 RejectResponseUrl= UseFastPathReject=1 ;LoggingDirectory= LogLongUrls=0 [AllowVerbs] ; These are the only verbs that are permitted. GET POST PROPFIND PROPPATCH BPROPPATCH MKCOL DELETE BDELETE BCOPY MOVE SUBSCRIBE BMOVE POLL SEARCH HEAD PUT OPTIONS RPC_OUT_DATA RPC_IN_DATA X-MS-ENUMATTS LOCK UNLOCK [DenyVerbs] [DenyHeaders] ; ; Request headers that are listed in this section cause Urlscan to ; reject any request where these request headers are present. ; ; List headers in the form ; Header-Name: transfer-encoding: [AllowExtensions] ;.asp .cer .cdx .asa .htm .html .txt .jpg .jpeg .gif [DenyExtensions] ; Deny executable files that might run on the server. ; DO NOT include .exe in this list if Exchange 2003 OWA is configured to use SMIME as that would disable OWA. .exe .bat .cmd .com ; Deny scripts that are used infrequently. .htw ; Maps to webhits.dll, part of Index Server. .ida ; Maps to idq.dll, part of Index Server. .idq ; Maps to idq.dll, part of Index Server. .htr ; Maps to ism.dll, a previous administrative tool. .idc ; Maps to httpodbc.dll, a previous database access tool. .shtm ; Maps to ssinc.dll for server-side includes. .shtml ; Maps to ssinc.dll for server-side includes. .stm ; Maps to ssinc.dll for server-side includes. .printer ; Maps to msw3prt.dll for Internet printing services. ; Deny various static files. .ini ; Configuration files .log ; Log files .pol ; Policy files .dat ; Configuration files ; Deny extensions for Outlook Mobile Access. .asax .ascs .config .cs .csproj .licx .pdb .resx .resources .vb .vbproj .vsdisco .webinfo .xsd .xsx ; .dll ; Cannot do this for RPC over HTTP or for Exchange ActiveSync. [DenyUrlSequences] .. ; Do not permit directory traversals. ./ ; Do not permit trailing dot on a directory name. \ ; Do not permit backslashes in URL. % ; Do not permit escaping after normalization. & ; Do not permit multiple Common Gateway Interface processes to run on a single request. [RequestLimits] MaxAllowedContentLength=1073741824 MaxUrl=16384 MaxQueryString=4096
Fine-tune Exchange Server 2003
Outlook Web AccessThe following is a list of verbs that are required in the [AllowVerbs] section for Outlook Web Access (OWA), when you configure OWA as a Web-based feature on a front-end computer or a back-end computer:
Outlook Mobile AccessThe following is a list of verbs that are required in the [AllowVerbs] section for Outlook Mobile Access, when you configure Outlook Mobile Access as a Web-based feature on a front-end computer:
Exchange Server ActiveSyncThe following is a list of verbs that are required in the [AllowVerbs] section for Exchange Server ActiveSync when you configure Exchange ActiveSync as a Web-based feature on a front-end computer:
Remote Procedure Call over Hypertext Transfer ProtocolThe following is a list of verbs that are required in the [AllowVerbs] section for RPC over HTTP:
Web foldersThe following is a list of verbs that are required in the [AllowVerbs] section for Web folders:
Public folder managementThe following is a list of verbs that are required in the [AllowVerbs] section for public folder management:
Exchange Server 2003 Web-based feature request limitsThe following table lists the request limits for each Web-based feature on an Exchange Server 2003 computer. You can customize the template to restrict request limits based on the computer's role. If multiple Web-based features are required on a single computer then you must use the highest request limits value.
Collapse this tableExpand this table
Note The MaxAllowedContentLength for OWA computers and Outlook Mobile Access back-end computers is based on a default maximum message size of 10 megabytes. You can change this setting based on your existing messaging size requirements.
Entourage X with the Microsoft Exchange Update or Entourage 2004The following is a list of verbs that are required in the [AllowVerbs] section for Entourage X with the Microsoft Exchange Update or Entourage 2004:
Known issuesThe following sections describe known issues that you might experience and information about how to correct those issues. Each section refers to a component that may be affected and specifies the Urlscan.ini file section that you must modify.
Exchange ActiveSyncExchange ActiveSync Primary SMTP address DenyExtensions By default, URLScan.ini removes .com extensions from any URL. If your Primary SMTP address has a.com extension in it, the SMTP address will fail. The stripped URL then causes the IIS 404 errors on the mailbox server. These IIS 404 errors are reported back as an internal server error 500. Exchange ActiveSync in SP2 uses similar log on functionality as Microsoft Outlook Web Access does.
Exchange Server ActiveSync in Microsoft Exchange Server 2003 Service Pack 2 (SP2) uses the user's full SMTP address instead of the mailbox alias when it builds the request to the /exchange virtual directory.
Outlook Web Access
Public folder management
For more information about known issues and fine tuning when you use the IIS Lockdown Wizard in an Exchange 2000 environment, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/309677/ )Known issues and fine tuning when you use the IIS Lockdown Wizard in an Exchange 2000 Server environment