Ran across this today on IIS.net.  For those of you that know me, I've been raving about URLScan as great security tool for IIS since IIS 5 days. It was one of the centerpieces of the IIS FastTrack class I taught back in the day.

After a very long time, the IIS team has released an update to URLScan 2.5, a beta release of URLScan 3.0. It's still an ISAPI filter and I'd bet that it's written by the leading authority on ISAPI at Microsoft, Wade Hilmo who also wrote the original URLScan and siblings.

One of the key new features is the ability to create different rule sets for different sites.  In URLScan 2.5 you could only have 1 ruleset for the entire server which was great for sites that had 1 primary app or very similar workloads on different sites, but if you had 1 site that had a maximum URL of 50 characters and another 250 characters, you had to set the max URL length to 250 which meant less than optimum security. Now, you can tuneup each site to according to it's requirements.

Another cool addition is that if you change the ruleset, you don't have to recycle IIS in order to pick up the changes. That's a nice improvement that is harder than it sounds .

So check out the new beta and be sure to send a note to the team via the forums about how these tools. When they hear from customers about the usefulness of these releases, it helps them justify doing more of updates and add-ons.

Learn IIS7: Using UrlScan: Configuring Security: Installing and Configuring IIS 7.0