Request Filtering in IIS 7 Howto
I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.
You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new config files that IIS 7 introduces. I prefer the .config files coming from an Apache background.
The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.
Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).
The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:
denyUrlSequences- Used to deny specific URI'sfileExtensions- Used to deny specific file extensions, or allow only a whitelist of file extensions.hiddenSegments- Used to hide URI sequencesrequestLimits- Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)verbs- Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)
Here's a quick example of how you might use these features in a web.config file:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<!-- block /CFIDE -->
<denyUrlSequences>
<add sequence="/CFIDE"/>
</denyUrlSequences>
<!-- block all file extensions except cfm,js,css,html -->
<fileExtensions allowUnlisted="false" applyToWebDAV="true">
<add fileExtension=".cfm" allowed="true" />
<add fileExtension=".js" allowed="true" />
<add fileExtension=".css" allowed="true" />
<add fileExtension=".html" allowed="true" />
</fileExtensions>
<!-- hide configuration dir -->
<hiddenSegments applyToWebDAV="true">
<add segment="configuration" />
</hiddenSegments>
<!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
<requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
<!-- only allow GET,POST verbs -->
<verbs allowUnlisted="false" applyToWebDAV="true">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
On the topic of IIS Security, have you disabled Weak SSL Ciphers and Protocols such as SSLv2, this is a requirement of PCI (which all ecommerce sites must adhere to)? My company has a product that makes it very easy to Disable SSLv2 on IIS.
Tweet
add to del.icio.us
| Tags: iis, microsoft, iis7, request filtering, security, config, windows, filtering
Related Entries
- IIS: Disabling Weak SSL Protocols and Ciphers - October 8, 2009
- Remove X-Powered-By: ASP.NET Header - October 21, 2008
- Howto Disable the Server Header in IIS - December 6, 2005
- ColdFusion Lockdown Series - Multiple Partitions - April 21, 2011
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
Trackbacks
Comments
That is also a good example of whitelist and blacklist validation with great use of whitelist validation.
Thanks for sharing.
Adding the .config files was a smart move for MS!
Post a Comment
Recent Entries
- Nginx redirect www to non www domain
- HashDOS and ColdFusion
- HackMyCF Updated for APSB11-29 Security Hotfix
- Adobe eSeminar on FuseGuard
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- Adding Two Factor Authentication to ColdFusion Administrator
- ColdFusion Developer Week at Adobe.com
- Bug Loading Scripts for CFFileUpload and CFMediaPlayer
