Request Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0.
General Request Filter Settings
The general settings include such settings as the following:
- Whether to allow access to a file with an extension that is not listed for request filter.
- Whether to allow requests that use HTTP verbs that are not listed.
- Whether to allow requests that contain high-bit characters (non-ASCII).
- Whether to allow requests that are double encoded.
- Maximum length of the content requested.
- Maximum length of the URL.
- Maximum size of a query string.
You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
Request filtering can be configured in IIS manager if you install extra addons, or you can configure it using the new config files that IIS 7 introduces. I prefer the .config files coming from an Apache background.
The global configuration file is called applicationHost.config and it is located in C:\windows\system32\inetsrv\config\ by default, this is similar to the httpd.conf file for Apache.
Site specific configuration can either be added to the applicationHost.config or in a file called web.config located in the wwwroot of the website (similar to .htaccess files on Apache).
The <requestFiltering> tag is located under the following location in the XML config file: /configuration/system.webServer/security/. There are 5 child tags of the requestFiltering tag:
- denyUrlSequences - Used to deny specific URI's
- fileExtensions - Used to deny specific file extensions, or allow only a whitelist of file extensions.
- hiddenSegments - Used to hide URI sequences
- requestLimits - Used to limit the size of elements in the HTTP Request (query string, headers, url, content length, etc)
- verbs - Deny HTTP verbs (such as POST, TRACE, PUT, DELETE, etc)
No comments:
Post a Comment