An Overview of IIS 7.5 feature - Request Filtering

Let’s open IIS 7.5 manager and check whether Request Filtering module is present or not under IIS section as shown below:

filter

If it does not exist, we can install same by going “Turn on or off Windows Feature” in Control Panel and selecting same under Internet Information Services, WWW Services, Security, then Request Filtering.

feature

Let’s select “Default Web Site”, double-click on Request Filtering and understand its settings:

filter

We have multiple tabs to configure filtering rules for a web request.

We can use File Name Extensions tab to allow\deny a request based on its extension in the URL:

extension

Here, we blocked requests having .aspx extension and IIS will return 404.7 for any .aspx requests.

We can add a new allow\deny rule by clicking Allow\Deny File Name Extension:

config

In Rules tab, we can create our own custom filtering rules,

rules

Here, I created a rule “Test rule” to scan URL, query string and apply it to .aspx requests and deny those having DECLARE or BEGIN keywords in it.

In Hidden Segments tab, we can specify URLs that cannot be browsed:

filtering

Here, I configured a rule to block URLs that request to MyCode folder.

In URL tab, we can configure a “allow URL\Deny sequence”:

filtering

Here, I configured a rule to deny sequence “~” in its URL.

In HTTP Verbs, we can configure a request based on its verbs:

filtering

This setting will block any request with PUT as its HTTP verb.

In Headers tab, we can add headers and set maximum size of it:

filtering

Here, I configured content-size header with its size limit as 100 bytes.

In Query String tab, we can allow\deny request based on query string:

filtering

It will block any request having username as query string in its URL.
By looking into sub status code of 404 in IIS\ FREB logs, we can easily identify by which filtering rule request is blocked:

HTTP SubstatusDescription
404.5URL Sequence Denied
404.6Verb Denied
404.7File Extension Denied
404.8Hidden Namespace
404.10Request Header Too Long
404.11 URL Double Escaped
404.12 URL Has High Bit Chars
404.13 Content Length Too Large
404.14 URL Too Long
404.15 Query String Too Long
404.18 Query String Sequence Denied
404.19Denied by Filtering Rule

Instead of IIS Manager, We can use appcmd.exe to configure it with the following command:

C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:sy
stem.webServer/security/requestFiltering /+"verbs.[verb='GIVE',allowed='false']"


This will deny access to requests having GIVE as HTTP Verbs:

verb

We can click on “Edit Feature Settings” under Actions pane to configure general request filter options like Max allowed URL, query string, allowed content length [useful in file uploads] :

setting

This feature remained the same in IIS 8, 8.5 and above settings will still apply. This feature is very helpful to allow\deny requests based on URL, headers, HTTP verbs etc. for better security.

I am ending things here on Request Filtering, I hope this article will be helpful for all.

Read more articles on IIS: