Once URLScan is installed, please open and modify the
UrlScan.ini file in this location:
%windir%\system32\inetsrv\urlscan\UrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a
[DenyQueryStringSequences] section. Add an additional “aspxerrorpath=”
entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
The above entry disallows URLs that have an “aspxerrorpath=”
querystring attribute from making their way to ASP.NET applications, and will
instead cause the web-server to return an HTTP error. Adding this rule
prevents attackers from distinguishing between the different types of errors
occurring on a server – which helps block attacks using this vulnerability.
After saving this change, run “iisreset” from a command
prompt (elevated as admin) for the above changes to take effect. To
verify the change has been made, try accessing a URL on your site/application
that has a querystring with an aspxerrorpath and verify that an HTTP error is
sent back from IIS.