In June of this year, we released a beta version of UrlScan 3.0, which can help mitigate SQL injection attacks. Today, we’re happy to announce the final release of UrlScan 3.0 for Internet Information Services (IIS).
UrlScan 3.0 is a security tool that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, the UrlScan 3.0 security tool helps to prevent potentially harmful requests from reaching applications on the server. UrlScan 3.0 is an update to UrlScan 2.5 and requires IIS 5.1 or later, including the latest IIS 7.0 on Windows Server 2008.
Nazim Lala, who works on the IIS development team responsible for UrlScan 3.0, describes some of the RTW feature additions over on the IIS.net community portal. You can also read the walkthrough articles on how to install and use the tool.
The UrlScan 3.0 filter can easily be deployed to mitigate SQL injection attacks while the root cause is being fixed. Remember, UrlScan 3.0 is merely a stopgap giving you time to address flaws in Web application code that might make it vulnerable to SQL injection attacks – not fixing the root cause allows the risk to remain.
We know you probably know this already, but as a reminder, even though the UrlScan 3.0 security tool can help protect your server from attacks, you should always evaluate and apply the latest security updates from Microsoft.