URLScan and SmarterMail
I recently had an issue with one of the sites that I manage getting hit with a SQL injection attack. ARG!!! What a pain in the butt!! Fortunately Steve Schofield had posted some great info about closing down the attack surface here and here. After a little bit of work cleaning all the injected crud out of the DB all was back up and running in just about 2 or 3 hours of work. Many thanks to Steve for his help.
But, now to the real point of this post. If you are like me in this case and run a website and webmail from the same IIS server if you use URLScan and add the SQL injection rule you will find that your SmarterMail webmail starts to have problems.
I made the mistake (kinda) of applying URLScan to the entire IIS server and letting it trickle down to all sites on the server. Obviously for attack prevention this is the best way, but it did cause the problem with SmarterMail. So, my first idea was to adjust the rule to allow the text that URLScan was blocking. After having to do this a couple of times I started to worry that I was leaving too many wholes in the URLScan filter.
Then I had the better idea, I just removed the URLScan filter from the SmarterMail site in IIS and put the removed rules back in place in URLScan. I don't have to worry about SQL injection on SmarterMail since it doesn't integrate with SQL. Another alternative would be to have a second URLScan instance on the server and customize the filter to work with SmarterMail. I'd have to really think hard on this, but with the right situation it might be better to have a dedicated instance of URLScan for each site that you run. This would allow you to completely "tweek" your filter to block everything but what that specific site needs. Obviously on a large scale this does add alot of overhead, but it might be mitigated because your security is tighter and you are less likely to need to spend time fixing problems.