URLScan.exe screens all incoming HTTP requests to an IIS server and allows only those that comply with a specific rule set to pass. This helps ensure that the server responds only to valid requests, thereby significantly improving security. URLScan allows you to filter requests based on length, character set, content, and other factors. For more information about URLScan, including download and installation instructions, see the URLScan Security Tool Web site.

Configuring Exchange 2003 URLScan

URLScan is configured manually by editing a configuration text file called urlscan.ini. After you install URLScan, this file is located in the following folder: <WinDir>\System32\Inetsrv\Urlscan

It is highly recommended that you configure URLScan according to the Microsoft Knowledge Base article, "Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment."