Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
This article in our free security tools series focuses on the benefits of the URLScan Security Tool. Attackers often use websites to conduct phishing attacks or distribute malware. According to the Microsoft Security Intelligence Report Volume 13, there were 4.4 phishing sites per 1,000 Internet hosts worldwide in the second quarter of 2012 (2Q12) alone. Malicious websites typically appear to be completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques in an effort by attackers to take advantage of the trust users have in them.
One of the best ways to keep potentially malicious Internet traffic from attacking your Internet Information Services (IIS) Web server is to keep it from getting to the Web server service. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. One tool Microsoft created a few years back to help protect users from malicious webpages is URLScan.
URLScan is a security tool that restricts the types of HTTP requests that IIS will process. URLScan scans incoming URL requests and associated data. It uses a series of rules to determine whether the information in each request is potentially dangerous, or contains information not normally expected. To help you diagnose any potential problems and any attempts to upset your server, URLScan can also log requests—including the offending request data. By blocking specific HTTP requests, the URLScan security tool helps to prevent potentially harmful requests from reaching applications on the server.
Using this tool allows much greater control over what requests an IIS Web server responds to and helps reduce the systems susceptibility to certain types of known attacks and methods used by viruses, worms, and hackers. While URLScan technologies (such as built in Request Filtering Module) are built in to IIS 7 or newer versions of IIS, it is still a valuable tool for systems that are running IIS 6.0 and below. For reference, below is a list of the operating systems and their default IIS version:
Operating System | Internet Information Server (IIS) Version |
Windows XP | IIS 5.1 |
Windows Server 2003 | IIS 6.0 |
Windows Vista | IIS 7.0 |
Windows Server 2008 | IIS 7.0 |
Windows Server 2008 R2 | IIS 7.5 |
Windows 8 | IIS 8.0 |
Windows Server 2012 | IIS 8.0 |
The filters in URLScan are based upon rules that the administrator configures. Administrators may configure URLScan to reject HTTP requests based on the following criteria:
Because URLScan works as a filter before the information is passed on to the script or application that handles the request, it can act as a buffer, so you don’t have to modify your existing code. Therefore, if a request is identified as being a potential risk, the script can immediately return an HTTP 404 message to the client, without the information ever reaching the script. This help to protect the script, your Web site and your server.
If you are using older Microsoft technologies such as IIS 6.0 on Windows XP or Windows Server 2003 then I encourage you to run URLScan to help protect against attackers trying to compromise your web server. Please note that that end of support for Windows XP SP3 is April 8, 2014. Migrate to Windows 7 or Windows 8 ASAP. The end of extended support for Windows Server 2003 is July 14, 2015. For more information on URLScan, please check out these helpful resources:
Tim Rains
Director
Trustworthy Computing