My Short and to the (Share)Point thoughts

SharePoint and URLSCAN just don’t get along

For my Latest SharePoint Extranet deployment, I had a lot of issues with basic SharePoint functionality which I have never had issues with before.

  • I could only upload a file up to 28MB in size, despite having the file upload limit set to 100MB (following these instructions from Microsoft - KB925083 & KB94481).
  • Office Integration didn't work (checkout didn’t work and “Edit in Office” opened the document in Read-Only mode, which is pretty useless for a for a collaboration tool).

My SharePoint site was publishing via ISA Server 2006, so made use of persistent cookies to enable the Office integration to work.  I had tested this in my test environment and both the file upload limit and office integration worked as expected.

Whilst troubleshooting the issue in the live environment, one of my Colleagues realised a difference in my Test and Live environments.  The Live environment web servers had URLSCAN installed.  Another one of my Colleagues, tasked with performing server hardening of the live environment, had previously installed URLSCAN on my SharePoint web servers to secure IIS.  When I was asked about URLSCAN before it was installed, having not heard of it, I did a quick bit of research which led me to the conclusion it shouldn’t cause any issues. How badly I was wrong :(

To resolve the issue, we removed URLSCAN from the web servers and accepted the risk. The SharePoint file upload and office integration worked as expected.

Lessons Learnt

  • SharePoint and URLSCAN just don’t get along, without the correct configuration and thought.
  • Make sure your Test environment exactly matches the configuration of your Live environment.
  • Take more time to research things you don’t know.


Paul Grimley said...
This comment has been removed by the author.
Anonymous said...

URLScan was installed in the production environment for good reason. Reinstall URLScan and modify the URLScan .INI file so it is compatible with SharePoint.

... and yes, install it in your Test environment as well.

Anonymous said...

All you need to do is modify the urlscan.ini. The 2 areas that you need to modify are the [AllowVerbs] and [DenyHeaders] sections. Some of the settings listed below may not be required for your environment, but they should at least provide you with a sharepoint system running urlscan that functions without issue. You can determine if you need to further secure your servers by removing some of these settings and testing individually or by packet capture analysis. Anyways, here they are:


{Remove all existing entries}

Some of the verbs and headers that are denied by default are required by WebDAV. You can test individually if you want to further lockdown your server with URLScan.

Anonymous said...

Oh and the urlscan.ini file is located in C:\Windows\System32\inetsrv\urlscan\

Post a Comment