IIS · December 18, 2023

IIS for Newbie: Install and configure URLScan

IIS for Newbies: Install and Configure URLScan

As a newbie to web hosting and server management, it's important to familiarize yourself with the various tools and configurations available to ensure the security and performance of your website. One such tool is URLScan, which is used to filter and block potentially harmful requests to your server. In this article, we will guide you through the process of installing and configuring URLScan on your IIS server.

Step 1: Download URLScan

The first step is to download URLScan from the official Microsoft website. URLScan is a free security tool provided by Microsoft to enhance the security of IIS servers. Visit the Microsoft Download Center and search for "URLScan" to find the latest version available for download. Once downloaded, extract the contents of the ZIP file to a location on your server.

Step 2: Install URLScan

After extracting the contents of the ZIP file, navigate to the extracted folder and locate the "Setup" file. Double-click on it to start the installation process. Follow the on-screen instructions to complete the installation. Once installed, URLScan will be ready to use.

Step 3: Configure URLScan

Now that URLScan is installed, it's time to configure it to meet your specific security requirements. Locate the "urlscan.ini" file in the installation directory and open it using a text editor.

Within the "urlscan.ini" file, you will find various configuration options that allow you to customize the behavior of URLScan. Some of the most commonly used options include:

  • AllowDotInPath: Specifies whether URLs with dots in the path are allowed.
  • AllowLateScanning: Determines whether URLScan scans the request body.
  • NormalizeUrlBeforeScan: Controls whether URLScan normalizes the URL before scanning.
  • UseAllowVerbsList: Enables or disables the use of the "AllowVerbs" list.

Review each option and modify the values according to your requirements. It's important to strike a balance between security and functionality, so make sure to thoroughly understand the implications of each configuration option.

Step 4: Test URLScan

After configuring URLScan, it's crucial to test its effectiveness. Send various requests to your server and observe how URLScan handles them. Check the server logs and URLScan logs to ensure that potentially harmful requests are being blocked or filtered as expected.

Summary

Installing and configuring URLScan is an essential step in securing your IIS server. By filtering and blocking potentially harmful requests, URLScan helps protect your website from various types of attacks. As a newbie to server management, it's important to familiarize yourself with tools like URLScan to ensure the security and performance of your website.

For more information on VPS hosting and to explore our top-notch VPS solutions, visit Server.HK. Our hosting services provide the perfect platform for implementing security measures like URLScan to safeguard your website.