I run two other web sites along with the WHS default site on my WHS box, one of which uses a SQL database. On my old Win2K server I had installed the URLScan filter for the added security. Does anyone have any success stories with installing URLScan on a WHS? Tips or things to watch out for? Thank you.
UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than most of the features of UrlScan 2.5.
I think that says all you need to know.I'm not on the WHS team, I just post a lot. :)
UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than most of the features of UrlScan 2.5.
I think that says all you need to know.I'm not on the WHS team, I just post a lot. :)
Ken, thanks much for that link. That was exactly the type of info I needed.
Two things: The paragraph above the paragraph you quoted leads in the other direction - "Microsoft Windows Server™ 2003 has many built-in features that help secure IIS 6.0 servers. UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. Also, some organizations have integrated UrlScan features into their server management practices for IIS and for other Microsoft servers. If you want to utilize the additional functionality and features of UrlScan 2.5 or simply maintain your current security management, then consider installing and using UrlScan with IIS 6.0."
Second, URLScan is currently up to version 3.1, which has security feature even IIS 7 does not yet have. I need to run SQL and the newer URLScan also filters query strings so that's the one I am interested in feedback on. It does seem to allow different rules for each site, an improvement over 2.5, which might work out fine as I can lock down my sites while leaving the WHS sites alone.
I don't know what you've done with your web sites. You'll have to make the call there. Do you actually need URLScan, or are you just very security-conscious?
What I do know is that the externally exposed sites on Windows Home Server are pretty safe: there's only a tiny amount of surface area before you have to authenticate, past that point it doesn't matter, and they're ASP.Net applications with a limited number of purposes/entry points anyway. On OEM servers with other web applications (the original HP MediaSmart servers, for example) the additional web apps are generally served by a completely separate web server, not IIS.I'm not on the WHS team, I just post a lot. :)
