Request Filtering in IIS 7 Howto

February 16, 2010

I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new config files that IIS 7 introduces. I prefer the .config files coming from an Apache background.

The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.

Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).

The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:

denyUrlSequences - Used to deny specific URI's
fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
hiddenSegments - Used to hide URI sequences
requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)

Here's a quick example of how you might use these features in a web.config file:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <!-- block /CFIDE -->
            <denyUrlSequences>
               <add sequence="/CFIDE"/>
            </denyUrlSequences>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            </fileExtensions>
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            </hiddenSegments>
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

On the topic of IIS Security, have you disabled Weak SSL Ciphers and Protocols such as SSLv2, this is a requirement of PCI (which all ecommerce sites must adhere to)? My company has a product that makes it very easy to Disable SSLv2 on IIS.

Permalink | Add Comment |

add to del.icio.us | Tags: iis, microsoft, iis7, request filtering, security, config, windows, filtering

Related Entries

IIS: Disabling Weak SSL Protocols and Ciphers - October 8, 2009
Remove X-Powered-By: ASP.NET Header - October 21, 2008
Howto Disable the Server Header in IIS - December 6, 2005
Is your ColdFusion Administrator Actually Public? - April 28, 2010
ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only - August 20, 2009

2 people found this page useful, what do you think?

Trackbacks

Trackback Address: 741/776C6CE3E9DB0598E8834AC81EA956B4

Comments

On 02/16/2010 at 2:36:13 PM EST Jason Dean wrote:

Wow, that is really straight forward an easy to understand.

That is also a good example of whitelist and blacklist validation with great use of whitelist validation.

Thanks for sharing.

On 02/16/2010 at 5:41:13 PM EST Pete Freitag wrote:

You're welcome Jason, yeah it is actually pretty simple!

Adding the .config files was a smart move for MS!

On 02/20/2010 at 12:10:12 PM EST Ron wrote:

Pete: thanks for sharing this. This is so much more straightforward and with an Apache background myself, I find this braindead-simple to understand...

On 05/13/2010 at 10:27:36 PM EDT Greg wrote:

I am having a problem opening .msg outlook files is there something I need to change in the applicationhost.config? I get the 404 Server error file or directory not found.

On 08/16/2010 at 3:46:49 PM EDT Randy wrote: