IIS 7.0 Reuest Filtering For Builtin Security Feature

Overview

Request Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0, and replaces much of the functionality that was available through the UrlScan add-on for IIS 6.0. All of the settings for the request filtering feature are located within the <requestFiltering> element, which contains several child elements for each of the following feature areas:
  • <denyUrlSequences> - This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.
  • <fileExtensions> - This element can contain a collection of file name extensions that IIS 7 will either deny or allow; for example: you can block all requests for Web.config files.
  • <hiddenSegments> - This element can contain a collection of URLs that cannot be browsed; for example: you can deny requests for the ASP.NET App_Code folder.
  • <requestLimits> - This element contains the settings for URL, content, and query string lengths. It can also contain a collection of user-defined maximum lengths for HTTP headers.
  • <verbs> - This element can contain a collection of HTTP verbs that IIS 7 will either deny or allow; for example: you can block all HTTP TRACE requests.

New in IIS 7.5

IIS 7.5 added several additional feature areas for request filtering:
  • <alwaysAllowedUrls> - This element can contain a collection of URLs that request filtering will always allow.
  • <alwaysAllowedQueryStrings> -This element can contain a collection query strings of that request filtering will always allow.
  • <denyQueryStringSequences> - This element can contain a collection of query string sequences that request filtering will always deny. This allows administrators to block potentially dangerous query string sequences that they detect.
  • <filteringRules> - This element can contain a collection of custom request filtering rules. This collection allows administrators to create customized request filtering rules for specific criteria.

HTTP 404 Error Substatus Codes

When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. For example:
HTTP SubstatusDescription
404.5URL Sequence Denied
404.6Verb Denied
404.7File Extension Denied
404.8Hidden Namespace
404.10Request Header Too Long
404.11URL Double Escaped
404.12URL Has High Bit Chars
404.13Content Length Too Large
404.14URL Too Long
404.15Query String Too Long
404.18Query String Sequence Denied
404.19Denied by Filtering Rule

These substatuses allow Web administrators to analyze their IIS logs and identify potential threats.

Compatibility

VersionNotes
IIS 7.5In IIS 7.5, request filtering ships with the unescapeQueryString attribute and the alwaysAllowedUrls, alwaysAllowedQueryStrings, denyQueryStringSequences, and filteringRules elements. These elements were first introduced as an update for IIS 7.0 that is available through Microsoft Knowledge Base Article 957508.
IIS 7.0The <requestFiltering> element was introduced in IIS 7.0.
IIS 6.0The <requestFiltering> element replaces the IIS 6.0 UrlScan features.

Setup

The default installation of IIS 7 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, and then Security.
  4. Select Request Filtering, and then click OK.

How To

Note for IIS 7.0 users: Some of the steps in this section may require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:

How to edit the request filtering feature settings and request limits

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. Click Edit Feature Settings... in the Actions pane.
  5. Specify your options, and then click OK.

    For example, you could make the following changes:
    • Change the maximum URL length to 2KB by specifying 2048.
    • Change the maximum query string length to 1KB by specifying 1024.
    • Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

How to deny a URL sequence

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the Deny URL Sequences tab, and then click Add URL Sequence... in the Actions pane.
  5. In the Add Deny Sequence dialog box, enter the URL sequence that you wish to block, and then click OK.
    For example, to prevent directory transversal on your server, you would enter two periods ("..") in the dialog box.

How to deny access to a specific file name extension

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the File Name Extensions tab, and then click Deny File Name Extension... in the Actions pane.
  5. In the Deny File Name Extension dialog box, enter the file name extension that you wish to block, and then click OK.

    For example, to prevent access to files with a file name extension of .inc, you would enter "inc" in the dialog box.

How to add a hidden segment

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the Hidden Segments tab, and then click Add Hidden Segment... in the Actions pane.
  5. In the Add Hidden Segment dialog box, enter the relative path that you want to hide, and then click OK.

How to add limits for HTTP headers

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the Headers tab, and then click Add Header... in the Actions pane.
  5. In the Add Header dialog box, enter the HTTP header and the maximum size that you want for the header limit, and then click OK.
    For example, the "Content-type" header contains the MIME type for a request. Specifying a value of 100 would limit the length of the "Content-type" header to 100 bytes.

How to deny an HTTP verb

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click Request Filtering.
  4. In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane.
  5. In the Deny Verb dialog box, enter the HTTP verb that you wish to block, and then click OK.
    For example, to prevent HTTP TRACE requests to your server, you would enter "TRACE" in the dialog box.

Configuration

Attributes

AttributeDescription
allowDoubleEscapingOptional Boolean attribute.

If set to true, request filtering will allow URLs with doubly-escaped characters. If set to false, request filtering will deny the request if characters that have been escaped twice are present in URLs.

The default value is false.
allowHighBitCharactersOptional Boolean attribute.

If set to true, request filtering will allow non-ASCII characters in URLs. If set to false, request filtering will deny the request if high-bit characters are present in URLs.

The default value is true.
unescapeQueryStringOptional Boolean attribute.

Specifies whether to unescape the query string.

If set to true, request filtering will perform two passes on each query string scan. The first pass will scan the raw query string, and the second pass will scan the query string after IIS has decoded any escape sequences. If set to false, request filtering will only look at the raw query string as sent by the client.

Note: This attribute was added in IIS 7.5.

The default value is true.

Child Elements

ElementDescription
alwaysAllowedQueryStringsOptional element.

Specifies a collection of query strings that request filtering will always allow.

Note: This element was added in IIS 7.5.
alwaysAllowedUrlsOptional element.

Specifies a collection of URLs that request filtering will always allow.

Note: This element was added in IIS 7.5.
denyQueryStringSequencesOptional element.

Specifies a collection of query string sequences that request filtering will always deny.

Note: This element was added in IIS 7.5.
denyUrlSequencesOptional element.

Specifies sequences that should be denied to help prevent URL-based attacks on the Web server.
fileExtensionsOptional element.

Specifies which file name extensions are allowed or denied to limit types of requests sent to the Web server.
filteringRulesOptional element.

Specifies a collection of custom request filtering rules.

Note: This element was added in IIS 7.5.
hiddenSegmentsOptional element.

Specifies that certain segments of URLs can be made inaccessible to clients.
requestLimitsOptional element.

Specifies limits on requests processed by the Web server.
verbsOptional element.

Specifies which HTTP verbs are allowed or denied to limit types of requests sent to the Web server.

Configuration Sample

The following configuration sample from a Web.config file performs several security-related tasks:
  • Denies access to two URL sequences. The first sequence prevents directory transversal and the second sequence prevents access to alternate data streams.
  • Denies access to unlisted file name extensions and unlisted HTTP verbs.
  • Sets the maximum length for a URL to 2KB and the maximum length for a query string to 1KB.
<configuration> 
   <system.webServer> 
      <security> 
         <requestFiltering> 
            <denyUrlSequences> 
               <add sequence=".." /> 
               <add sequence=":" /> 
            </denyUrlSequences> 
            <fileExtensions allowUnlisted="false" /> 
            <requestLimits maxUrl="2048" maxQueryString="1024" /> 
            <verbs allowUnlisted="false" /> 
         </requestFiltering> 
      </security> 
   </system.webServer> 
</configuration>

Sample Code

The following code samples demonstrate how to deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']"  
 
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']"  
 
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']" 

C#

using System; 
using System.Text; 
using Microsoft.Web.Administration; 
 
internal static class Sample 
{ 
   private static void Main() 
   { 
      using (ServerManager serverManager = new ServerManager()) 
      { 
         Configuration config = serverManager.GetWebConfiguration("Default Web Site"); 
 
         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering"); 
 
         ConfigurationElementCollection denyUrlSequencesCollection = requestFilteringSection.GetCollection("denyUrlSequences"); 
 
         ConfigurationElement addElement = denyUrlSequencesCollection.CreateElement("add"); 
         addElement["sequence"] = @".."; 
         denyUrlSequencesCollection.Add(addElement); 
 
         ConfigurationElement addElement1 = denyUrlSequencesCollection.CreateElement("add"); 
         addElement1["sequence"] = @":"; 
         denyUrlSequencesCollection.Add(addElement1); 
 
         ConfigurationElement addElement2 = denyUrlSequencesCollection.CreateElement("add"); 
         addElement2["sequence"] = @"\"; 
         denyUrlSequencesCollection.Add(addElement2); 
 
         serverManager.CommitChanges(); 
      } 
   } 
}

VB.NET

Imports System 
Imports System.Text 
Imports Microsoft.Web.Administration 
 
Module Sample 
 
Sub Main() 
      Dim serverManager As ServerManager = New ServerManager 
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site") 
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering") 
      Dim denyUrlSequencesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("denyUrlSequences") 
 
      Dim addElement As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") 
      addElement("sequence") = ".." 
      denyUrlSequencesCollection.Add(addElement) 
 
      Dim addElement1 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") 
      addElement1("sequence") = ":" 
      denyUrlSequencesCollection.Add(addElement1) 
 
      Dim addElement2 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") 
      addElement2("sequence") = "\" 
      denyUrlSequencesCollection.Add(addElement2) 
 
      serverManager.CommitChanges() 
   End Sub 
 
End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager'); 
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"; 
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site"); 
var denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection; 
 
var addElement = denyUrlSequencesCollection.CreateNewElement("add"); 
addElement.Properties.Item("sequence").Value = ".."; 
denyUrlSequencesCollection.AddElement(addElement); 
 
var addElement1 = denyUrlSequencesCollection.CreateNewElement("add"); 
addElement1.Properties.Item("sequence").Value = ":"; 
denyUrlSequencesCollection.AddElement(addElement1); 
 
var addElement2 = denyUrlSequencesCollection.CreateNewElement("add"); 
addElement2.Properties.Item("sequence").Value = "\\"; 
denyUrlSequencesCollection.AddElement(addElement2); 
 
adminManager.CommitChanges();

VBScript

Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager") 
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site" 
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site") 
Set denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection 
 
Set addElement = denyUrlSequencesCollection.CreateNewElement("add") 
addElement.Properties.Item("sequence").Value = ".." 
denyUrlSequencesCollection.AddElement(addElement) 
 
Set addElement1 = denyUrlSequencesCollection.CreateNewElement("add") 
addElement1.Properties.Item("sequence").Value = ":" 
denyUrlSequencesCollection.AddElement(addElement1) 
 
Set addElement2 = denyUrlSequencesCollection.CreateNewElement("add") 
addElement2.Properties.Item("sequence").Value = "\" 
denyUrlSequencesCollection.AddElement(addElement2) 
 
adminManager.CommitChanges()

Comments