Request Filtering in IIS

I've been doing some security work in Windows recently for a client, one feature I've really come to like in IIS is Request Filtering. Request Filtering is a great tool for adding security rules, it was added in Windows 2008 / IIS 7.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new web config files that IIS 7 introduced. I prefer using the web.config files coming from an Apache background.

The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.

Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).

The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:

• denyUrlSequences - Used to deny specific URI's
• fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
• hiddenSegments - Used to hide URI sequences
• requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
• verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)

Example web.config file using Request Filtering

Here's a quick example of how you might use the request filtering features in a web.config file:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <!-- block /CFIDE -->
            <denyUrlSequences>
               <add sequence="/CFIDE"/>
            </denyUrlSequences>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            </fileExtensions>
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            </hiddenSegments>
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

The maxAllowedContentLength feature of Request Filtering is pretty handy, it specifies the maximum number of bytes that can be posted. This is effectivly the maximum file upload size that your server can handle, or if your are hosting an API the maximum size of the JSON / XML body payload.

As of IIS 10, Microsoft has added the ability to remove the Server header using request filtering. Using request filtering ends up being a much cleaner solution.