Courtesy of Microsoft

Aug 21, 2008 11:49 GMT  ·  By

Microsoft has taken UrlScan Filter 3.0 out of Beta development stage and made the tool available for download. The gold code of UrlScan 3.0 that went live on the Microsoft Download Center on August 21 is designed to integrate seamlessly with Internet Information Services 5.1, 6.0 and 7.0 running on top of Windows Server 2008, Windows Server 2003, Windows Vista and Windows XP. The IIS security tool was made available initially at the end of June 2008 under a GoLive license which permitted the immediate integration of the bits into development environments.

"About 2 months ago we released the beta for UrlScan v3.0 to address customer concerns with automated SQL injection attacks and we have been busy since refining it with the help of our customers, community and MVPs," revealed Nazim Lala, IIS security engineer, Microsoft.

In mid 2008, the Redmond company found itself in the position to attempt protecting its customers that were facing a flood of automated SQL injection attacks even if there were no security vulnerabilities to patch in Microsoft software. This because the attacks targeted not security flaws in server solutions but SQL design holes in the applications running on top of Microsoft products. At that time, a total of three tools were offered to customers, in an effort to enable the bulletproofing against SQL attacks. Along with the beta version of UrlScan Filter 3.0, the Redmond giant also released Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008) while IBM delivered Scrawlr. Now UrlScan Filter 3.0 has been released to web (RTW) and can be grabbed via the link at the bottom of this article.

"UrlScan v3.0 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server. UrlScan v3.0 has feature upgrades and fixes from its predecessor (v2.5) such as the ability to scan query strings, the ability to custom tailor rules that scan parts of your HTTP requests and many others. UrlScan v3.0 will install as an ISAPI filter on IIS 5.1 and later, including the latest IIS 7.0 for Windows Server 2008," reads the introductory fragment from the UrlScan 3.0 description.

UrlScan Filter 3.0 is available for download here.