Re: urlscan + OWA spell checker

From: "Andrew Sword [MVP]" <exchange.mvp@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 29 May 2005 17:46:02 +1000

urlscan can be reversed by running it again and selecting the relevant
options.

Try these articles

http://support.microsoft.com/default.aspx?scid=kb;en-us;823175

http://www.internetaccessmonitor.com/eng/products/articles/Using_IIS_Lockdown_Tool_to_Secure_Exchange_Installations/Using_IIS_Lockdown_Tool_to_Secure_Exchange_Installations.php

"Brian Edwards" <BrianEdwards@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7A2F9A11-E07D-4A66-832B-E5C1CEF9DC90@xxxxxxxxxxxxxxxx
> After enabling urlscan on my Exchange 2003 server, my OWA users can no
> longer
> use the spell checker. I have modified the urlscan.ini file to support
> .dll
> extensions, as required by the spell checker, but can't seem to make it
> work.
> Also, I was wondering if I am missing any customization options in my
> urlscan.ini file. Recommendations?
>
> TIA.
>
> Error from urlscan log file:
> Client at 192.168.0.132: URL contains extension '.dll', which is
> disallowed.
> Request will be rejected. Site Instance='1', Raw
> URL='/exchweb/bin/spell/owaspell.dll'
>
> urlscan.ini:
> ; Exchange 2003 Urlscan configuration for OWA, Outlook Mobile Access,
> Exchange ActiveSync,
> ; remote procedure call over Hypertext Transfer Protocol, and Web Folders.
> ; Version 1.1
> [options]
> ; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with
> URLScan installed may need to modify the "VerifyNormalization=1"
> ; option in this template to be "VerifyNormalization=0" if they encounter
> a
> "404" error when attempting to open messages or items that contain
> ; the "+" symbol in the subject or name.
> UseAllowExtensions=0
> NormalizeUrlBeforeScan=1
> VerifyNormalization=0
> AllowHighBitCharacters=1
> AllowDotInPath=1
> RemoveServerHeader=0
> EnableLogging=1
> PerProcessLogging=0
> AllowLateScanning=0
> PerDayLogging=1
> RejectResponseUrl=
> UseFastPathReject=1
> ;LoggingDirectory=
> LogLongUrls=0
>
> [AllowVerbs]
> ; These are the only verbs that are permitted.
> GET
> POST
> PROPFIND
> PROPPATCH
> BPROPPATCH
> MKCOL
> DELETE
> BDELETE
> BCOPY
> MOVE
> SUBSCRIBE
> BMOVE
> POLL
> SEARCH
> HEAD
> PUT
> OPTIONS
> RPC_OUT_DATA
> RPC_IN_DATA
> X-MS-ENUMATTS
> LOCK
> UNLOCK
>
> [DenyVerbs]
>
> [DenyHeaders]
> ;
> ; Request headers that are listed in this section cause Urlscan to
> ; reject any request where these request headers are present.
> ;
> ; List headers in the form
> ; Header-Name:
> transfer-encoding:
>
> [AllowExtensions]
> ;.asp
> .cer
> .cdx
> .asa
> .htm
> .html
> .txt
> .jpg
> .jpeg
> .gif
> .dll
>
> [DenyExtensions]
> ; Deny executable files that might run on the server.
> ; DO NOT include .exe in this list if Exchange 2003 OWA is configured to
> use
> SMIME as that would disable OWA.
> .exe
> .bat
> .cmd
> .com
>
> ; Deny scripts that are used infrequently.
> .htw ; Maps to webhits.dll, part of Index Server.
> .ida ; Maps to idq.dll, part of Index Server.
> .idq ; Maps to idq.dll, part of Index Server.
> .htr ; Maps to ism.dll, a previous administrative tool.
> .idc ; Maps to httpodbc.dll, a previous database access tool.
> .shtm ; Maps to ssinc.dll for server-side includes.
> .shtml ; Maps to ssinc.dll for server-side includes.
> .stm ; Maps to ssinc.dll for server-side includes.
> .printer ; Maps to msw3prt.dll for Internet printing services.
>
> ; Deny various static files.
> .ini ; Configuration files
> .log ; Log files
> .pol ; Policy files
> .dat ; Configuration files
>
> ; Deny extensions for Outlook Mobile Access.
> .asax
> .ascs
> .config
> .cs
> .csproj
> .licx
> .pdb
> .resx
> .resources
> .vb
> .vbproj
> .vsdisco
> .webinfo
> .xsd
> .xsx
> ;.dll ; Cannot do this for RPC over HTTP or for Exchange ActiveSync.
>
> [DenyUrlSequences]
> .. ; Do not permit directory traversals.
> ./ ; Do not permit trailing dot on a directory name.
> \ ; Do not permit backslashes in URL.
> % ; Do not permit escaping after normalization.
> & ; Do not permit multiple Common Gateway Interface processes to run on
> a
> single request.
>
> [RequestLimits]
> MaxAllowedContentLength=1073741824
> MaxUrl=16384
> MaxQueryString=4096

.

Follow-Ups:
- Re: urlscan + OWA spell checker
  - From: Brian Edwards

References:
- urlscan + OWA spell checker
  - From: Brian Edwards

Prev by Date: Exchange 2003 Mailbox Manager
Next by Date: Re: AUTODL DOCUMENTATION
Previous by thread: urlscan + OWA spell checker
Next by thread: Re: urlscan + OWA spell checker
Index(es):
- Date
- Thread

Relevant Pages

Re: IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A
... IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A ... I would not use URLScan or the IIS Lockdown tool on any Exchange 2000 server ...
(NT-Bugtraq)
RE: OWA with "+" in the subject
... What version of Exchange and Windows server that Exchange is running on? ... If Exchange is running on Windows 2003 with URLScan installed or enable, ...
(microsoft.public.exchange.clients)
urlscan + OWA spell checker
... After enabling urlscan on my Exchange 2003 server, my OWA users can no longer ... Maps to webhits.dll, part of Index Server. ...
(microsoft.public.exchange.admin)
Re: Problem with OWA
... The problem is I have unfortunately deleted the virtual IIS directory on the Exchange 2003 ... Backend Server. ... Looking for reinstalling OWA 2003, but seems not possible in Exchange 2003, you must reinstall ... Tell them URLScan protects your ...
(microsoft.public.exchange2000.setup.installation)
Re: Problem with OWA
... The problem is I have unfortunately deleted the virtual IIS directory on the Exchange 2003 ... Backend Server. ... Looking for reinstalling OWA 2003, but seems not possible in Exchange 2003, you must reinstall ... Tell them URLScan protects your ...
(microsoft.public.exchange.setup)