none
URLSCAN與VIRTUAL SERVER2005的問題 RRS feed

  • 問題

  • URLSCAN與VIRTUAL SERVER2005的問題

    大家好,在主機A上有裝URLSCAN 3.1與VIRTUAL SERVER 2005,但是我發現有一個問題,就是VIRTUAL SERVER2005的管理介面是用IIS進行管理,但後方網頁字串卻有exe,而URLSCAN發現exe就把它給BLOCK,造成無法透過VIRTUAL SERVER2005的管理介面進行管理,不知版上是否有其他人遇到跟我一樣的情形,而你們的解決方式為何呢??

    還是說,在URLSCAN中可以設定內部網路去連會不限exe,而外部網路會限制exe呢???

    2009年4月24日 上午 03:32

解答

  • 目前沒環境測
    找到官方文章似乎可以設定安全的網站清單..可以參考看看

    Common URLScan Scenarios
    http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/

    摘錄下面一段..供你參考

    --------------------------------------------------------------------- 

    Creating Safe-List For URLs and Query Strings

    URLScan v3.1 allows you to specify safe URLs and query strings that will bypass all checks and rules. In URLScan v3.0 they only bypassed URL or query string checks respectively, but in URLScan v3.1 they will bypass all checks and rules. This feature must be used with caution, since wrong configuration in this section could let malicious requests bypass your deny rules. If a user always wants to allow the URL ‘/my.login.page.asp’ for instance even though it might trigger a deny rule defined, you can add configuration as below to allow this.

    [AlwaysAllowedUrls]
    /my.login.page.asp

    It is important to note that the leading ‘/’ is required for the URL to be accepted as a valid URL. If a user wants to allow a query string ‘session<1’ which might otherwise trigger a deny rule defined, you can add configuration as below to allow this.


    [AlwaysAllowedQueryStrings]
    session<1

    Note that you do not need to specify query strings leading with the ‘?’ character.

    • 已提議為解答 Vincent Lin 2009年4月28日 上午 09:37
    • 已標示為解答 Vincent Lin 2009年4月30日 上午 07:43
    2009年4月25日 上午 03:11