Request Filtering in IIS 7 Howto
I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.
You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new config files that IIS 7 introduces. I prefer the
.config files coming from an Apache background.
The global configuration file is called
applicationHost.config and it is located in
C:\windows\system32\inetsrv\config\ by default, this is similar to the
httpd.conf file for Apache.
Site specific configuration can either be added to the
applicationHost.config or in a file called
web.config located in the wwwroot of the website (similar to
.htaccess files on Apache).
<requestFiltering> tag is located under the following location in the XML config file:
/configuration/system.webServer/security/. There are 5 child tags of the
denyUrlSequences- Used to deny specific URI's
fileExtensions- Used to deny specific file extensions, or allow only a whitelist of file extensions.
hiddenSegments- Used to hide URI sequences
requestLimits- Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
verbs- Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)
Here's a quick example of how you might use these features in a
<configuration> <system.webServer> <security> <requestFiltering> <!-- block /CFIDE --> <denyUrlSequences> <add sequence="/CFIDE"/> </denyUrlSequences> <!-- block all file extensions except cfm,js,css,html --> <fileExtensions allowUnlisted="false" applyToWebDAV="true"> <add fileExtension=".cfm" allowed="true" /> <add fileExtension=".js" allowed="true" /> <add fileExtension=".css" allowed="true" /> <add fileExtension=".html" allowed="true" /> </fileExtensions> <!-- hide configuration dir --> <hiddenSegments applyToWebDAV="true"> <add segment="configuration" /> </hiddenSegments> <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars --> <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" /> <!-- only allow GET,POST verbs --> <verbs allowUnlisted="false" applyToWebDAV="true"> <add verb="GET" allowed="true" /> <add verb="POST" allowed="true" /> </verbs> </requestFiltering> </security> </system.webServer> </configuration>
On the topic of IIS Security, have you disabled Weak SSL Ciphers and Protocols such as SSLv2, this is a requirement of PCI (which all ecommerce sites must adhere to)? My company has a product that makes it very easy to Disable SSLv2 on IIS.
- IIS: Disabling Weak SSL Protocols and Ciphers - October 8, 2009
- Remove X-Powered-By: ASP.NET Header - October 21, 2008
- Howto Disable the Server Header in IIS - December 6, 2005
- SameSite Cookies with IIS - May 14, 2018
- Blocking .svn and .git Directories on Apache or IIS - October 15, 2013
That is also a good example of whitelist and blacklist validation with great use of whitelist validation.
Thanks for sharing.
Adding the .config files was a smart move for MS!
I get the 404 Server error file or directory not found.
Thanks for this article, I have a small confusion regarding adding URL sequences with MS-DOS device names?
Would you kindly help me and tell me how exactly do I need to do that?
Even I'm looking for ISAPI filter to block URLs with MsDos Device names. Did you find any solution?
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained