Ever wanted to control what applications or urls get passed (or more importantly blocked by) your MOSS Web front-end Servers.
I recently came across a MOSS 2007 customer who wanted to block certain request coming from specific applications (e.g. MSIE Crawler, MS Access), The client was using Windows 2003 OS with IIS 6.0.
There are usually several ways to ‘skin-a-cat’in this case URLScan 3.1 seemed like a perfect candidate for the job, and it is a free download:
Statement on the tin:
"UrlScan 3.1 screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed." http://www.iis.net/extensions/UrlScan
Note: Most of the features of URLScan 3.1 have been incorporated in IIS 7.0, so if you’re using IIS 7.0 you should be able to easily achieve the above from the GUI, see technet documentation on IIS 7.0
From the looks of it all we need to do is download and install URLScan3.1 and then add a few entries in the urlscan.ini file i.e. by identifying and denying specific user agents. (urlscan.ini file is located in the C:\Windows\System32\inetsrv\urlscan folder)
To test if this function actually worked we created the below entries in the .ini file to block Access to all ‘Mozilla’ requests; (n.b: User agent Strings can be taken from IIS log entries);
[Options]
RuleList=DenyUserAgent
[DenyHeaders]
Transfer-Encoding:
[DenyUserAgent]
DenyDataSection=AgentStrings
ScanHeaders=User-Agent
[AgentStrings]
Mozilla
These entries will need to be made on all of the servers assigned the WFE role, for testing you can just amend your Hosts file to direct you’re traffic to one specific front end, as we did.
To our delight, when we tried browsing to any sight hosted on our web server, we received the error page as described in;
Error page returned when URLScan rejects request
http://technet.microsoft.com/en-us/library/cc751375.aspx
Now that we have the format specified in the urlscan.ini all we need to do is identify which user agents we want to block and add these under [AgentStrings] (btw don’t forget to remove Mozilla otherwise no one will get through J)
To identify your Agent Strings use a combination of the entries from your IISLogs, which will look something like: Microsoft Office/11.0 (Windows NT 5.1; Microsoft Office Access 11.0.8221; Pro), (don’t forget to replace the + sign with spaces) and the list of User Agent Strings from this site: http://www.useragentstring.com/pages/useragentstring.php
We managed to successfully block the following Applications responding with unable to connect to server and unable to connect to site messages;
[AgentStrings]
;Browsers
Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1) Gecko/20090624 Firefox/3.5
;Applications
Microsoft Office/12.0 (Windows NT 5.1; Microsoft Office Access 12.0.6320; Pro)
You should also see the corresponding entries in the IIS Logs;
Success:
2009-07-15 12:49:15 10.162.74.223 GET /Rejected-By-UrlScan ~/default.aspx 80 GLOBAL\9739330 10.174.146.69 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-GB;+rv:1.9.1)+Gecko/20090624+Firefox/3.5 200 0 0 346 579 31
We blocked MS Access and got the messages unable to connect to server and unable to connect to site, as expected. You can probably modify these to redirect to something more appropriate, but these were sufficient for us.