Fixing “IIS Metabase is required to install Microsoft UrlScan Filter v3.1”

If you are looking to remove the server header from your IIS, you will need to install URL Scan to be able to go through the settings.

UrlScan is a security tool used to restrict types of HTTP requests that IIS will process. It is a simple tool which is very helpful in blocking harmful requests to the server. It seemingly supports only IIS 5.1, IIS 6.0, and IIS 7.0 on Windows Vista and Windows Server 2008. It has been deprecated since IIS 7.5 and IIS 8. It is said that Microsoft has included the features of UrlScan in request filtering option for IIS 7.5 and IIS 8. But it definitely is not a match for the simplicity of UrlScan. Today I am going to show you how to configure UrlScan in IIS 7.5 and IIS8. (IIS 7.5 is available in Windows server 2008 R2 and IIS 8 is available in Windows Server 2012 and Windows 8 ).

Install the URLScan in your machine. Please follow the following link for that

When you are trying to install it on a new server, you might get an error saying:

IIS Metabase is required to install Microsoft UrlScan Filter v3.1

To fix this issue:

  1. Open Web Platform Installer
  2. Search for metabase and install “IIS: IIS 6 Metabase Compatibility”
  3. Then, select IIS ISAPI Filters. (ISAPI filters may already be installed in IIS 7.5 )
  4. Click on Install. You are shown a review of components you selected to install. Click on I accept.
  5. The components are installed and will show you a Finish screen. Click on Finish.
  6. To check installation, go in IIS and click on your server node.
  7. Click on ISAPI filters under IIS

After installing URLScan, open the URLScan.ini file typically located in the %WINDIR%\System32\Inetsrv\URLscan folder. After opening it, search for the key RemoveServerHeader . By default it is set to 0, but to remove the Server header, change the value to 1.

Doing so will remove the Server header Server: Microsoft-IIS/7.5 (8) from the User mode response.

One thought on “Fixing “IIS Metabase is required to install Microsoft UrlScan Filter v3.1”

  1. I kept getting hit on the scan after I did what you said. I found this site and followed the bottom comment.

    f I could just add to this quickly… I had the exact same problem, but could not figure out how to fix it. JonnyDoyle said that he had not applied it at the site level. It took me a while to figure out what that meant. Let me elaborate for anyone else that gets stuck on this.

    After installing URL scan, you have to go into your site in IIS “Default Web Site”, etc.
    Then open up your ISAPI filters.
    Then add a new one called UrlScan 3.1, and point it to c:\Windows\System32\inetsrv\urlscan\urlscan.dll
    On the right pane, click “view ordered list” and move it to the top.
    If you go to the server and look at your ISAPT filters, you should already see the UrlScan 3.1 filter in there, but by default it does not appear on the site level with 2008 R2 and 2012, I believe. I think that is what JonnyDoyle was referring to. Just thought I’d elaborate in case anyone else was stuck like me.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.