IIS Lockdown and URLScan – Error 404

This article is for Cart32 users who have their own full license and have IIS running on their web hosting machine.

 

Some IIS users may have installed an addon from Microsoft entitled “IIS LockDown”. This program often comes bundled with another addon entitled “URLScan” which blocks certain file extensions from running.

 

If you do have this addon installed and you receive an HTTP Error 404 when trying to access your executable files (.exe, .dll, .com, etc.) you may have to open an exception in your URLScan utility. To do this, follow these instructions:

 

  1. Navigate to the path on your server where the URLScan utility was installed. By default this should be in your %systemroot%\system32\inetsrv\urlscan.
  2. Open the URLScan.ini file using notepad.
  3. If you have “UseAllowExtensions=0” (the default) at the top of your file this means the URLScan is going to use the [DenyExtensions] list in your URLScan.ini to DENY files with certain extensions to run. By default the list of those extensions is .exe, .cmd, .com, .bat. In this case, follow these instructions:
    • .exe – These are executable files used by many CGI applications (Cart32 Uses This)
    • Place a “;” (no quotes) in front of the .exe in your URLScan.ini to comment it out. This will allow .exe files to run on your website now (make sure you have Scripts and Executables allowed on your /cgi-bin/ directory too in IIS).
    • Before: .exe
    • After: ;.exe
  1. If you have “UseAllowExtensions=1” at the top of your file this means the URLScan is going to use the [AllowExtensions] list to ALLOW files with certain extentions to run. By default the list of those extensions is .asp, .cer, .cdx, .asa, .htm, .html, .txt, .jpg, .jpeg, .gif. In this case, follow these instructions:
    • Add the following on a blank line right before the .asp “.exe” (no quotes).
      • Before:
      • .asp
      • .cer
      • After:
      • .exe
      • .asp
      • .cer
  1. Save the changes to your URLScan.ini and close notepad.
  2. Restart IIS.

 

Here is an EXAMPLE URLScan.ini file:

[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section (Notice we use Deny here)
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file extensions
RemoveServerHeader=0 ; if 1, remove “Server” header from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /
UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS’s built in ‘Server’ header
AlternateServerName=

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if “UseAllowVerbs=1”
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if “UseAllowVerbs=0”
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:

[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if “UseAllowExtensions=1”
; is set in the [Options] section above.
;

.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif

;.idq
;.htw
;.ida
;.idc
.shtm
.shtml
.stm
;.htr
;.printer
[DenyExtensions] (This is where the deny extensions list is)

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if “UseAllowExtensions=0”
; is set in the [Options] section above.
;

; Deny executables that could run on the server
;.exe (Notice how the .exe is commented out by using a semicolon)
.bat
.cmd
.com

; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
;.shtm ; Maps to ssinc.dll, for Server Side Includes
;.shtml ; Maps to ssinc.dll, for Server Side Includes
;.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files

;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
.. ; Don’t allow directory traversals
./ ; Don’t allow trailing dot on a directory name
\ ; Don’t allow backslashes in URL
: ; Don’t allow alternate stream access
% ; Don’t allow escaping after normalization
& ; Don’t allow multiple CGI processes to run on a single request

Log in