Overview
Request Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0, and replaces much of the functionality that was available through the UrlScan add-on for IIS 6.0. All of the settings for the request filtering feature are located within the<requestFiltering>
element, which contains several child elements for each of the following feature areas:<denyUrlSequences>
- This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.<fileExtensions>
- This element can contain a collection of file name extensions that IIS 7 will either deny or allow; for example: you can block all requests for Web.config files.<hiddenSegments>
- This element can contain a collection of URLs that cannot be browsed; for example: you can deny requests for the ASP.NET App_Code folder.<requestLimits>
- This element contains the settings for URL, content, and query string lengths. It can also contain a collection of user-defined maximum lengths for HTTP headers.<verbs>
- This element can contain a collection of HTTP verbs that IIS 7 will either deny or allow; for example: you can block all HTTP TRACE requests.
New in IIS 7.5
IIS 7.5 added several additional feature areas for request filtering:<alwaysAllowedUrls>
- This element can contain a collection of URLs that request filtering will always allow.<alwaysAllowedQueryStrings>
-This element can contain a collection query strings of that request filtering will always allow.<denyQueryStringSequences>
- This element can contain a collection of query string sequences that request filtering will always deny. This allows administrators to block potentially dangerous query string sequences that they detect.<filteringRules>
- This element can contain a collection of custom request filtering rules. This collection allows administrators to create customized request filtering rules for specific criteria.
HTTP 404 Error Substatus Codes
When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. For example:HTTP Substatus | Description |
---|---|
404.5 | URL Sequence Denied |
404.6 | Verb Denied |
404.7 | File Extension Denied |
404.8 | Hidden Namespace |
404.10 | Request Header Too Long |
404.11 | URL Double Escaped |
404.12 | URL Has High Bit Chars |
404.13 | Content Length Too Large |
404.14 | URL Too Long |
404.15 | Query String Too Long |
404.18 | Query String Sequence Denied |
404.19 | Denied by Filtering Rule |
These substatuses allow Web administrators to analyze their IIS logs and identify potential threats.
Compatibility
Version | Notes |
---|---|
IIS 7.5 | In IIS 7.5, request filtering ships with the unescapeQueryString attribute and the alwaysAllowedUrls , alwaysAllowedQueryStrings , denyQueryStringSequences , and filteringRules elements. These elements were first introduced as an update for IIS 7.0 that is available through Microsoft Knowledge Base Article 957508. |
IIS 7.0 | The <requestFiltering> element was introduced in IIS 7.0. |
IIS 6.0 | The <requestFiltering> element replaces the IIS 6.0 UrlScan features. |
Setup
The default installation of IIS 7 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.Windows Server 2008 or Windows Server 2008 R2
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista or Windows 7
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then World Wide Web Services, and then Security.
- Select Request Filtering, and then click OK.
How To
Note for IIS 7.0 users: Some of the steps in this section may require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:How to edit the request filtering feature settings and request limits
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- Click Edit Feature Settings... in the Actions pane.
- Specify your options, and then click OK.
For example, you could make the following changes:- Change the maximum URL length to 2KB by specifying 2048.
- Change the maximum query string length to 1KB by specifying 1024.
- Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.
How to deny a URL sequence
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the Deny URL Sequences tab, and then click Add URL Sequence... in the Actions pane.
- In the Add Deny Sequence dialog box, enter the URL sequence that you wish to block, and then click OK.
For example, to prevent directory transversal on your server, you would enter two periods ("..") in the dialog box.
How to deny access to a specific file name extension
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the File Name Extensions tab, and then click Deny File Name Extension... in the Actions pane.
- In the Deny File Name Extension dialog box, enter the file name extension that you wish to block, and then click OK.
For example, to prevent access to files with a file name extension of .inc, you would enter "inc" in the dialog box.
How to add a hidden segment
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the Hidden Segments tab, and then click Add Hidden Segment... in the Actions pane.
- In the Add Hidden Segment dialog box, enter the relative path that you want to hide, and then click OK.
How to add limits for HTTP headers
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the Headers tab, and then click Add Header... in the Actions pane.
- In the Add Header dialog box, enter the HTTP header and the maximum size that you want for the header limit, and then click OK.
For example, the "Content-type" header contains the MIME type for a request. Specifying a value of 100 would limit the length of the "Content-type" header to 100 bytes.
How to deny an HTTP verb
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane.
- In the Deny Verb dialog box, enter the HTTP verb that you wish to block, and then click OK.
For example, to prevent HTTP TRACE requests to your server, you would enter "TRACE" in the dialog box.
Configuration
Attributes
Attribute | Description |
---|---|
allowDoubleEscaping | Optional Boolean attribute. If set to true, request filtering will allow URLs with doubly-escaped characters. If set to false, request filtering will deny the request if characters that have been escaped twice are present in URLs. The default value is false . |
allowHighBitCharacters | Optional Boolean attribute. If set to true, request filtering will allow non-ASCII characters in URLs. If set to false, request filtering will deny the request if high-bit characters are present in URLs. The default value is true . |
unescapeQueryString | Optional Boolean attribute. Specifies whether to unescape the query string. If set to true, request filtering will perform two passes on each query string scan. The first pass will scan the raw query string, and the second pass will scan the query string after IIS has decoded any escape sequences. If set to false, request filtering will only look at the raw query string as sent by the client. Note: This attribute was added in IIS 7.5. The default value is true . |
Child Elements
Element | Description |
---|---|
alwaysAllowedQueryStrings | Optional element. Specifies a collection of query strings that request filtering will always allow. Note: This element was added in IIS 7.5. |
alwaysAllowedUrls | Optional element. Specifies a collection of URLs that request filtering will always allow. Note: This element was added in IIS 7.5. |
denyQueryStringSequences | Optional element. Specifies a collection of query string sequences that request filtering will always deny. Note: This element was added in IIS 7.5. |
denyUrlSequences | Optional element. Specifies sequences that should be denied to help prevent URL-based attacks on the Web server. |
fileExtensions | Optional element. Specifies which file name extensions are allowed or denied to limit types of requests sent to the Web server. |
filteringRules | Optional element. Specifies a collection of custom request filtering rules. Note: This element was added in IIS 7.5. |
hiddenSegments | Optional element. Specifies that certain segments of URLs can be made inaccessible to clients. |
requestLimits | Optional element. Specifies limits on requests processed by the Web server. |
verbs | Optional element. Specifies which HTTP verbs are allowed or denied to limit types of requests sent to the Web server. |
Configuration Sample
The following configuration sample from a Web.config file performs several security-related tasks:- Denies access to two URL sequences. The first sequence prevents directory transversal and the second sequence prevents access to alternate data streams.
- Denies access to unlisted file name extensions and unlisted HTTP verbs.
- Sets the maximum length for a URL to 2KB and the maximum length for a query string to 1KB.
<configuration> <system.webServer> <security> <requestFiltering> <denyUrlSequences> <add sequence=".." /> <add sequence=":" /> </denyUrlSequences> <fileExtensions allowUnlisted="false" /> <requestLimits maxUrl="2048" maxQueryString="1024" /> <verbs allowUnlisted="false" /> </requestFiltering> </security> </system.webServer> </configuration>
Sample Code
The following code samples demonstrate how to deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").AppCmd.exe
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']" appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']" appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']"
C#
using System; using System.Text; using Microsoft.Web.Administration; internal static class Sample { private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetWebConfiguration("Default Web Site"); ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering"); ConfigurationElementCollection denyUrlSequencesCollection = requestFilteringSection.GetCollection("denyUrlSequences"); ConfigurationElement addElement = denyUrlSequencesCollection.CreateElement("add"); addElement["sequence"] = @".."; denyUrlSequencesCollection.Add(addElement); ConfigurationElement addElement1 = denyUrlSequencesCollection.CreateElement("add"); addElement1["sequence"] = @":"; denyUrlSequencesCollection.Add(addElement1); ConfigurationElement addElement2 = denyUrlSequencesCollection.CreateElement("add"); addElement2["sequence"] = @"\"; denyUrlSequencesCollection.Add(addElement2); serverManager.CommitChanges(); } } }
VB.NET
Imports System Imports System.Text Imports Microsoft.Web.Administration Module Sample Sub Main() Dim serverManager As ServerManager = New ServerManager Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site") Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering") Dim denyUrlSequencesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("denyUrlSequences") Dim addElement As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") addElement("sequence") = ".." denyUrlSequencesCollection.Add(addElement) Dim addElement1 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") addElement1("sequence") = ":" denyUrlSequencesCollection.Add(addElement1) Dim addElement2 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add") addElement2("sequence") = "\" denyUrlSequencesCollection.Add(addElement2) serverManager.CommitChanges() End Sub End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager'); adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"; var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site"); var denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection; var addElement = denyUrlSequencesCollection.CreateNewElement("add"); addElement.Properties.Item("sequence").Value = ".."; denyUrlSequencesCollection.AddElement(addElement); var addElement1 = denyUrlSequencesCollection.CreateNewElement("add"); addElement1.Properties.Item("sequence").Value = ":"; denyUrlSequencesCollection.AddElement(addElement1); var addElement2 = denyUrlSequencesCollection.CreateNewElement("add"); addElement2.Properties.Item("sequence").Value = "\\"; denyUrlSequencesCollection.AddElement(addElement2); adminManager.CommitChanges();
VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager") adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site" Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site") Set denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection Set addElement = denyUrlSequencesCollection.CreateNewElement("add") addElement.Properties.Item("sequence").Value = ".." denyUrlSequencesCollection.AddElement(addElement) Set addElement1 = denyUrlSequencesCollection.CreateNewElement("add") addElement1.Properties.Item("sequence").Value = ":" denyUrlSequencesCollection.AddElement(addElement1) Set addElement2 = denyUrlSequencesCollection.CreateNewElement("add") addElement2.Properties.Item("sequence").Value = "\" denyUrlSequencesCollection.AddElement(addElement2) adminManager.CommitChanges()
Comments
Post a Comment