OWA issue certain emails dont open

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: jas0n (no_at_email.here)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 23:25:31 +0100

Win2k / Exch2k / OWA

In looking into a problem with certain emails not opening I found it was
down to the IISlockdown tool, in particular the Urlscan.ini file. The
following section of urlscan.ini disables the ability to view emails in
OWA that contain these characters in the subject line:-

[DenyUrlSequences]
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request

the urlscan.ini file is located at:-

C:\WINNT\system32\inetsrv\urlscan\urlscan.ini

So, I understand it is a security risk to enable these but want to know
exactly how much of a risk it is as currently we have an operational
problem with people not able to read mails that contain those characters
in the subject line which is very irritating for the users but I dont
want to open up a major security hole just for the sake of it.

Looking at the characters I am thinking that the majority of email that
is currently a problem to the users would be the ones with '..' or '&'
in the subject line so if I enabled just those then it doesnt open it
all up to abuse .... or does it? I dont really understand the security
issues surrounding the above [DenyUrlSequences] so .... can anyone
elaborate on this please?

Relevant Pages

  • Re: Strange Characters When Viewing Outlook Express messages
    ... Messages Received in Outlook Express Have Different Characters in the ... messages in the default encoding format regardless of the actual encoding ... changed something with whatever they use to produce the emails. ...
    (microsoft.public.windowsxp.general)
  • Re: OWA issue certain emails dont open
    ... permissions are correct and perhaps set the Default Virtual Server to use a ... > In looking into a problem with certain emails not opening I found it was ... > want to open up a major security hole just for the sake of it. ... I dont really understand the security ...
    (microsoft.public.exchange.admin)
  • Re: GMT Friday 27th November 09
    ... I send emails all over the world, many laden with all manner of URL links. ... After a terrible unwitting cut and paste cock-up about five years ago I learned the salutary lesson that under no circumstances should I send URL links or emails containing junk non-standard characters such as funny squiggles for currency symbols; ... China have been blocking suspect websites and emails for years, Burma and many Will Of God countries including Indonesia now participate in the global homeland security exercise. ...
    (uk.people.silversurfers)
  • Re: Riggs
    ... >>> to visit Charles. ... >>> emails and usenet postings before I go offline. ... characters in Charles's email address. ... I wonder if the stroke will prove to have changed his character at ...
    (alt.usage.english)
  • Re: subject line
    ... emails in the mailing list? ... characters on my message display - so that window has to be wider for me to ...
    (Ubuntu)