Request Filtering in IIS 7 Howto

February 16, 2010

I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new config files that IIS 7 introduces. I prefer the .config files coming from an Apache background.

The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.

Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).

The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:

  • denyUrlSequences - Used to deny specific URI's
  • fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
  • hiddenSegments - Used to hide URI sequences
  • requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
  • verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)

Here's a quick example of how you might use these features in a web.config file:

            <!-- block /CFIDE -->
               <add sequence="/CFIDE"/>
            <!-- block all file extensions except cfm,js,css,html -->
            <fileExtensions allowUnlisted="false" applyToWebDAV="true">
               <add fileExtension=".cfm" allowed="true" />
               <add fileExtension=".js" allowed="true" />
               <add fileExtension=".css" allowed="true" />
               <add fileExtension=".html" allowed="true" />
            <!-- hide configuration dir -->
            <hiddenSegments applyToWebDAV="true">
               <add segment="configuration" />
            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
            <!-- only allow GET,POST verbs -->
            <verbs allowUnlisted="false" applyToWebDAV="true">
               <add verb="GET" allowed="true" />
               <add verb="POST" allowed="true" />

On the topic of IIS Security, have you disabled Weak SSL Ciphers and Protocols such as SSLv2, this is a requirement of PCI (which all ecommerce sites must adhere to)? My company has a product that makes it very easy to Disable SSLv2 on IIS.

Related Entries

3 people found this page useful, what do you think?


Wow, that is really straight forward an easy to understand.

That is also a good example of whitelist and blacklist validation with great use of whitelist validation.

Thanks for sharing.
You're welcome Jason, yeah it is actually pretty simple!

Adding the .config files was a smart move for MS!
Pete: thanks for sharing this. This is so much more straightforward and with an Apache background myself, I find this braindead-simple to understand...
I am having a problem opening .msg outlook files is there something I need to change in the applicationhost.config?
I get the 404 Server error file or directory not found.
Spent the last 2 hours trying to find this information. Thanks!!!

Thanks for this article, I have a small confusion regarding adding URL sequences with MS-DOS device names?
Would you kindly help me and tell me how exactly do I need to do that?

Hello Musa

Even I'm looking for ISAPI filter to block URLs with MsDos Device names. Did you find any solution?
Note. denyUrlSequences was replaced by hiddenSegments after IIS 6.0


Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?