Heres my urlscan.ini file
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=1 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=1 ; if 1, allow dots that are not file extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=
[AllowVerbs]
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
OPTIONS
SEARCH
POLL
PROPFIND
BMOVE
BCOPY
SUBSCRIBE
MOVE
PROPPATCH
BPROPPATCH
DELETE
BDELETE
MKCOL
UNSUBSCRIBE
SUBSCRIPTIONS
COPY
LOCK
UNLOCK
PUT
ACL
NOTIFY
[DenyVerbs]
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
[DenyHeaders]
;
; Request headers listed in this section will cause UrlScan to
; reject any request in which they are present.
;
; Headers should be listed in the form
; Header-Name:
;
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif
.idq
.htw
.ida
.idc
.shtm
.shtml
.stm
.htr
.printer
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Deny executables that could run on the server
.exe
.bat
.cmd
.com
; Deny infrequently used scripts
;.htw ; Maps to webhits.dll, part of Index Server
;.ida ; Maps to idq.dll, part of Index Server
;.idq ; Maps to idq.dll, part of Index Server
;.htr ; Maps to ism.dll, a legacy administrative tool
;.idc ; Maps to httpodbc.dll, a legacy database access tool
;.shtm ; Maps to ssinc.dll, for Server Side Includes
;.shtml ; Maps to ssinc.dll, for Server Side Includes
;.stm ; Maps to ssinc.dll, for Server Side Includes
;.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
;..
;./
;\
;%
;&