IIS Informant: Enabling ASP After IIS Lockdown

I recently applied the URLScan filter. Now my Active Server Pages (ASP) scripts no longer function, even though I allowed the .asp extension in the urlscan.ini file. What else do I need to do to make ASP work?

The IIS Lockdown tool includes two programs: the IIS Lockdown program and the URLScan Internet Server API (ISAPI) filter, both of which can restrict the use of ASP scripts. As an ISAPI filter, URLScan can intercept requests from clients that want to run an ASP script and stop the requests from reaching the server. URLScan filters out requests for ASP scripts if you select the Static Web server template when you run the IIS Lockdown tool, as Figure 1 shows, or if you disable ASP when viewing the template settings.

As you mentioned, you can configure the urlscan.ini file in systemdrive:winntsystem32inetsrvulrscan to correct the URLScan portion of the problem. In the [DenyExtensions] section of the file (which will look like the code that Listing 1, page 6, shows if you chose the Static Web server template), remove the .asp, .cer, .cdx, and .asa extensions. Then, save the modified file and restart IIS. URLScan will no longer intercept requests for ASP scripts.

When you choose the Static Web server template, the IIS Lockdown tool maps the .asp extension to 404.dll, which returns a File not found error. To correct the IIS Lockdown portion of the problem and reenable ASP functionality, you must remove the mapping to 404.dll and replace it with a map to systemdrive:winntsystem32inetsrvasp.dll.

As an alternative to editing urlscan.ini and application mapping, you can rerun the IIS Lockdown tool to return your IIS configuration to its prelockdown state. Then, you can run the Lockdown tool again and select the Dynamic Web server (ASP enabled) template to properly enable ASP. However, you'll lose any changes you've made to the IIS configuration in Internet Services Manager (ISM) 5.0 or Internet Service Manager (ISM) 4.0 since you ran the Lockdown tool the first time. For more information about URLScan, see Randy Franklin Smith, "Protect Your IIS Server with URLScan," page 6.