URL Scan has been a useful tool since Windows Server 2003, and continues to be used on many web server deployments. Did you know though that IIS7 includes a feature named Request Filtering that handles the same functionality as URL Scan but also gives a tighter level of control over the settings and where they are applied?
Request Filtering is a great resource to protect your site from SQL Injections and other attacks. One, of several, great reasons to consider using it is that it can be configured from the GUI (accessed through the icon shown above) *OR* from within your web.config file. Managing this from the GUI makes the web.config changes for you, so it winds up being the same thing, but it makes it a little easier to deal with. Then once the settings and rules are in your web.config file, they are nice and portable – just deploy them along with your site to assure that the server settings are in proper place to filter out the types of “bad” requests and possible attack footprints that you want to lock down.
It doesn’t get much easier than that – and you don’t have to remember to make the settings if you move the site, or add more server nodes, or … whatever!
There are plenty of great resources online so I won’t rehash what’s already been communicated quite well, but I’ll provide some links for your reference below.
http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering#005
http://learn.iis.net/page.aspx/143/use-request-filtering/
http://learn.iis.net/page.aspx/504/using-enhanced-request-filtering-features-in-iis/
Happy hosting!
