Request Filtering in IIS
By Pete Freitag
I've been doing some security work in Windows recently for a client, one feature I've really come to like in IIS is Request Filtering. Request Filtering is a great tool for adding security rules, it was added in Windows 2008 / IIS 7.
You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new web config files that IIS 7 introduced. I prefer using the
web.config files coming from an Apache background.
The global configuration file is called
applicationHost.config and it is located in
C:\windows\system32\inetsrv\config\ by default, this is similar to the
httpd.conf file for Apache.
Site specific configuration can either be added to the
applicationHost.config or in a file called
web.config located in the wwwroot of the website (similar to
.htaccess files on Apache).
<requestFiltering> tag is located under the following location in the XML config file:
/configuration/system.webServer/security/. There are 5 child tags of the
denyUrlSequences- Used to deny specific URI's
fileExtensions- Used to deny specific file extensions, or allow only a whitelist of file extensions.
hiddenSegments- Used to hide URI sequences
requestLimits- Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
verbs- Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)
Example web.config file using Request Filtering
Here's a quick example of how you might use the request filtering features in a
<configuration> <system.webServer> <security> <requestFiltering> <!-- block /CFIDE --> <denyUrlSequences> <add sequence="/CFIDE"/> </denyUrlSequences> <!-- block all file extensions except cfm,js,css,html --> <fileExtensions allowUnlisted="false" applyToWebDAV="true"> <add fileExtension=".cfm" allowed="true" /> <add fileExtension=".js" allowed="true" /> <add fileExtension=".css" allowed="true" /> <add fileExtension=".html" allowed="true" /> </fileExtensions> <!-- hide configuration dir --> <hiddenSegments applyToWebDAV="true"> <add segment="configuration" /> </hiddenSegments> <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars --> <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" /> <!-- only allow GET,POST verbs --> <verbs allowUnlisted="false" applyToWebDAV="true"> <add verb="GET" allowed="true" /> <add verb="POST" allowed="true" /> </verbs> </requestFiltering> </security> </system.webServer> </configuration>
maxAllowedContentLength feature of Request Filtering is pretty handy, it specifies the maximum number of bytes that can be posted. This is effectivly the maximum file upload size that your server can handle, or if your are hosting an API the maximum size of the JSON / XML body payload.
As of IIS 10, Microsoft has added the ability to remove the Server header using request filtering. Using request filtering ends up being a much cleaner solution.
Request Filtering in IIS was first published on February 16, 2010.
If you like reading about iis, microsoft, iis7, request filtering, security, config, windows, or filtering then you might also like:
- IIS: Disabling Weak SSL Protocols and Ciphers
- Remove the Server Header in any IIS Version
- Remove X-Powered-By: ASP.NET Header
- Howto Disable the Server Header in IIS
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).