How to configure URLScan and Exchange 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;823175
During installation, the Urlscan tool assumes that multiple services are installed on a single Exchange Server 2003 computer. Therefore, to help enhance the security of the computer, you must edit the Urlscan.ini configuration file to remove any extraneous functionality. To customize the Urlscan.ini file for your particular Exchange 2003 computer role, you must remove verbs in the [AllowVerbs] section of the Urlscan.ini file. However, make sure that the recommended verbs for your computer's role are included to obtain appropriate functionality. If multiple Web-based features are required on a single computer, you must merge the appropriate [AllowVerbs] section requirements.
To edit the configuration file after you install the Urlscan tool, open the Urlscan.ini file. The Urlscan.ini file is located in the following folder on your Exchange Server 2003 computer:
WinDirWinDirSystem32InetsrvUrlscan
Note To download the Urlscan 2.5 tool, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=23d18937-dd7e-4613-9928-7f94ef1c902a
with key highlights:
; Exchange 2003 Urlscan configuration for OWA, Outlook Mobile Access, Exchange ActiveSync,
; remote procedure call over Hypertext Transfer Protocol, and Web Folders.
; Version 1.1
[options]
; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with URLScan installed may need to modify the "VerifyNormalization=1"
; option in this template to be "VerifyNormalization=0" if they encounter a "404" error when attempting to open messages or items that contain
; the "+" symbol in the subject or name.
UseAllowExtensions=0
NormalizeUrlBeforeScan=1
VerifyNormalization=1
AllowHighBitCharacters=1
AllowDotInPath=1
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=0
AllowLateScanning=0
PerDayLogging=1
RejectResponseUrl=
UseFastPathReject=1
;LoggingDirectory=
LogLongUrls=0
[AllowVerbs]
; These are the only verbs that are permitted.
GET
POST
PROPFIND
PROPPATCH
BPROPPATCH
MKCOL
DELETE
BDELETE
BCOPY
MOVE
SUBSCRIBE
BMOVE
POLL
SEARCH
HEAD
PUT
OPTIONS
RPC_OUT_DATA
RPC_IN_DATA
X-MS-ENUMATTS
LOCK
UNLOCK
[DenyVerbs]
[DenyHeaders]
;
; Request headers that are listed in this section cause Urlscan to
; reject any request where these request headers are present.
;
; List headers in the form
; Header-Name:
transfer-encoding:
[AllowExtensions]
;.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif
[DenyExtensions]
; Deny executable files that might run on the server.
; DO NOT include .exe in this list if Exchange 2003 OWA is configured to use SMIME as that would disable OWA.
.exe
.bat
.cmd
.com
; Deny scripts that are used infrequently.
.htw ; Maps to webhits.dll, part of Index Server.
.ida ; Maps to idq.dll, part of Index Server.
.idq ; Maps to idq.dll, part of Index Server.
.htr ; Maps to ism.dll, a previous administrative tool.
.idc ; Maps to httpodbc.dll, a previous database access tool.
.shtm ; Maps to ssinc.dll for server-side includes.
.shtml ; Maps to ssinc.dll for server-side includes.
.stm ; Maps to ssinc.dll for server-side includes.
.printer ; Maps to msw3prt.dll for Internet printing services.
; Deny various static files.
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
; Deny extensions for Outlook Mobile Access.
.asax
.ascs
.config
.cs
.csproj
.licx
.pdb
.resx
.resources
.vb
.vbproj
.vsdisco
.webinfo
.xsd
.xsx
; .dll ; Cannot do this for RPC over HTTP or for Exchange ActiveSync.
[DenyUrlSequences]
.. ; Do not permit directory traversals.
./ ; Do not permit trailing dot on a directory name.
; Do not permit backslashes in URL.
% ; Do not permit escaping after normalization.
& ; Do not permit multiple Common Gateway Interface processes to run on a single request.
[RequestLimits]
MaxAllowedContentLength=1073741824
MaxUrl=16384
MaxQueryString=4096