Configuring HTTP filtering

  • Article

Microsoft Forefront Threat Management Gateway provides granular control over HTTP traffic in the form of an HTTP filter. The HTTP application-layer filter examines HTTP commands and data that pass through the Forefront TMG computer, and it only allows compliant requests to pass through. This significantly improves the security of your Web servers by helping ensure that they only respond to valid requests. It also enables you to control client Internet access. HTTP filtering can be applied in two general scenarios:

  • Internal clients accessing HTTP objects (HTML pages and graphics, or other data that can be transferred using the HTTP protocol) on another network (usually the Internet) through the Forefront TMG computer. This access is controlled by Forefront TMG access rules. An HTTP policy can be applied to each rule using the HTTP filter.
  • External clients accessing HTTP objects on a Web server that is published through the Forefront TMG server. This access is controlled by Forefront TMG Web publishing rules. An HTTP policy can be applied to each rule using the HTTP filter.

HTTP filtering is rule specific, and different criteria can be set on each rule. For example, you can use HTTP filtering to block the use of a particular peer-to-peer file sharing service for one set of users, but you can allow it for another set. When content is blocked by an HTTP filter setting on a rule, users receive a 502 Proxy Error with the message "The request was rejected by the HTTP filter". Configuring an HTTP filtering policy for a rule consists of the following:

  • Set a maximum number of bytes for a header, payload, URL or query.
  • Block requests with URLs containing specific characters.
  • Block specific HTTP methods (verbs), extensions and headers.
  • Block specific signatures. This topic also describes how to identify signatures.

Where to start. To configure HTTP filtering for a rule, in the Forefront TMG Management console tree, click the Web Access Policy node. In the details pane, right-click the rule, and then click Configure HTTP.

Configuring headers and URLs blocking

  1. On the General tab, configure the following:
  2. In Maximum headers length (bytes), specify the maximum number of bytes in the URL and HTTP header for an HTTP request before it is blocked. This setting applies to all rules, so if you change it in one rule, it is changed in all rules. Reducing the allowed header size mitigates the risk of attacks that require complex and long headers, such as buffer overflow attacks and some denial of service attacks. If you set the maximum headers length too low, it could impact some legitimate applications that use long headers. We recommend that you start with a limit of 10,000 bytes and increase it only if you find that needed applications are being blocked.
  3. Clear Allow any payload length to block requests exceeding the number of bytes specified in Maximum payload length (bytes). By limiting the request payload, you can restrict the amount of data a user can POST into your website in a Web publishing scenario. To determine what limit to set, estimate the maximum size of a file that would constitute a legitimate POST based on your site usage, and use that as the allowed payload length. This assumes that any POST larger than the limit you defined is a potential attack.
  4. In Maximum URL length (bytes), type the maximum URL length allowed. Requests with URLs exceeding this value will be blocked.
  5. In Maximum query length (bytes), type the maximum query length allowed in a request. Requests with queries exceeding this value will be blocked. A query is the part of URL that follows the question mark (?). You may want to limit the query length if you learn of an attack based on a long query string. By default, the maximum query length is set to 10240. Long queries and URLs are a known attack vector for Internet worms. These worms send a long GET request and use the URL to embed their payload.
  6. Select Verify normalization to block requests with URLs containing escaped characters after normalization. Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for https://myserver/My%20Dir/My%20File.htm is the same as a request for https://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests. Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid. When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests. Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.
  7. Select Block high bit characters to specify that URLs with high-bit characters will be blocked. These are typically characters from languages that require more than 8 bits to represent the characters of the language, and therefore use 16 bits. For example, URLs that contain a double-byte character set (DBCS) or Latin 1 characters will be blocked. This can help block some attacks on Web servers running Internet Information Services (IIS), but may also block requests and responses that contain characters from one of several languages that require high-bit characters. When you select Block high bit characters, this can impact scenarios such as Outlook Web Access publishing, Microsoft Windows SharePoint Portal Server publishing, and any scenario in which a GET request passes a parameter that includes a character from a DBCS.
  8. Select Block responses containing Windows executable content to specify that responses containing Windows executable content (responses that begin with MZ) will be blocked.

Configuring HTTP methods (verbs)

On the Methods tab, configure the following:

  1. In Specify the action taken for HTTP methods, select the action to be taken for the methods listed. You can allow all methods, blocked those listed and allow all others, or allow those listed and block all others. We recommend that you only allow selected methods, because this is the most secure configuration.
  2. To add a method, click Add. In the Method dialog box, type in the method you want to add. HTTP methods (also known as HTTP verbs) are instructions sent in a request message that notifies an HTTP server of the action to perform on the specified resource. An example of blocking by method would be to block POST so that internal clients cannot post data to an external Web page. This is useful in a secure network scenario where you want to prevent sensitive information from being posted on a website. This can also be useful in Web publishing, to prevent hackers from posting malicious material to your website.
  3. To delete an existing method, select the method in the list, and then click Remove.
  4. To edit an existing method, select the method in the list, and then click Edit.

Configuring HTTP extensions blocking

On the Extensions tab, do the following:

  1. In Specify the action taken for file extensions, select an action. You can allow all extensions or allow only those in the list. You can also select to block those in the list and allow all others. We recommend that you only allow selected extensions, because this is the most secure configuration. For example, if you are publishing a website, the website designer or Web server administrator will be able to define a list of extensions that are required for site functionality.
  2. Enable Block requests containing ambiguous extensions to block requests with extensions that cannot be determined.
  3. To add an extension, click Add. In the Extension dialog box, type in the extension you want to add.
  4. To edit an existing extension, select it in the list, and then click Edit.
  5. To delete an existing extension, select it in the list, and then click Remove.

A typical use of extension blocking is to block executable (.exe) files.

Configuring header blocking

On the Headers tab, do the following:

  1. Click Add to add a header that should be blocked. Then in the Header dialog box, select either Request Headers or Response Headers from Search In. And type in the header name. All headers are allowed except those that appear in the Allow all headers except the following list.
  2. To edit a header, select it in the list, and then click Edit. To allow a header that is currently on the blocked list, select it and then click Remove.
  3. In Server Header, specify how the server header will be returned in the response. The Server header is a response header that contains information such as the name of the server application and software version information, for example, HTTP: Server = Microsoft-IIS/6.0. The possible settings are:
    • Send original header. The original header will be returned in the response.
    • Strip header from response. No header will be returned in the response
    • Modify header in response. If you select this option, in Change to, type the value that will appear in the response. We recommend that you modify the server header. The value that will appear in the response can be any value, because the server header is rarely used by clients.
  4. In Via Header, specify how the Via header will be forwarded in the request or returned in the response. Via headers provide a way for proxy servers in the path of a request to ensure that they are also included in the path of the response. Each server along the request's path can add its own Via header. Each sender along the response path removes its own Via header and forwards the response to the server specified in the next Via header on the stack. For example, you can use this feature to avoid disclosing your Forefront TMG server name in a response. The possible settings are:
    • Send default. The default header will be used.
    • Modify header in request and response. The Via header will be replaced with a modified header. If you select this option, in Change to, type the header that will appear instead of the Via header.

Configure blocked signatures

On the Signatures tab, specify whether to allow or block requests based on the specific signatures in the headers or body as follows:

On the Headers tab, do the following:

  1. Click Add to add a blocked signature. Then in the Signature dialog box, specify the following:
    • In Search in, specify whether the signature appears in the request URL, body, or header, or in the response body or header.
    • In HTTP Header, type in the header name if you specified a header type signature.
    • In Signature, type in the signature string. A signature can be any string in a header or body. We recommend that you choose strings that are specific enough to block only those requests or responses that you want to block. For example, if you add the letter "a" as a signature, any request or response containing "a" will be blocked. Similarly, including "Mozilla" in a signature would block most Web browsers. A more typical example signature would be User-Agent: adatum-software-abc.
    • In Byte range, specify From and To values if you have selected Response Body or Request Body as the signature type. By default, Forefront TMG only inspects the first 100 bytes of the request and response body. Increasing this default value may affect system performance.
  2. You can enable or disable signatures using the check boxes next to the signature names. Click Show only enabled search strings to list only enabled signatures.
  3. To modify a blocked signature, select it in the Block content containing these signatures list, and then click Edit.
  4. To allow a blocked signature, select it in the Block content containing these signatures list, and then click Remove.

Determine signatures

You can determine a signature to block specific traffic by monitoring network traffic as follows:

Important

Because some network traffic monitoring tools may introduce a security risk, we recommend that you use these tools only in a laboratory environment and not in a production environment.

  1. Add the Windows network monitoring tools. This is available in the Management and Monitoring tools section of Windows optional components.
  2. To open Network Monitor after installation, click Start, point to Administrative Tools, and click Network Monitor. If a message appears reminding you to select a network, close it.
  3. In the Select a Network dialog box, expand Local Computer. If internal clients are located in the Forefront TMG default Internal network, select Internal to trace signatures used by these clients. This allows you to use traced signatures to block client access to specific Internet services.
  4. Network Monitor will capture all of the packets from the Internal network. You can filter the results after the capture, or you can create a filter before you start the capture. To create a filter before starting, from the menu, click Capture and select Filter (or press F8). In the Capture Filter dialog box, select the entry INCLUDE *ANY < - > *ANY and then click Edit.
  5. Click Edit Address, and under Add, click Address. In the Address Expression dialog box, click Edit Addresses.
  6. In the Address Database dialog box, click Add to open the Address Information dialog box.
  7. In the Address Information dialog box, specify the name of the client computer. Provide the IP address of the client computer in Address, and from the Type list, select IP. Then select OK, and click Close to close the Address Database dialog box.
  8. In Address Expression, verify that the Include option is selected. In the Station 2 column, select the client that you just created. Leave Direction as default (both directions), choose the destination in the Station 1 column to be the Forefront TMG computer, and then click OK.
  9. Click OK to close the Capture Filter dialog box.
  10. If there is a large amount of traffic between those two computers, you may need to increase the capture buffer. From the menu, click Capture and select Buffer Settings. In the Capture Buffer Settings dialog box, increase the Buffer Size. Click OK.
  11. On the client, close all of the applications except for the one for which you want to capture a signature.
  12. From the Network Monitor menu, click Capture and select Start (or press F10).
  13. On the client computer, start the application. For example, sign in to Windows Liveā„¢ Messenger or AOL Instant Messenger.
  14. From the Network Monitor menu, click Capture and select Stop and View (or press SHIFT+F11). Inspect the packets that were captured. Typically, the fourth packet (after the handshake packets SYN, SYNACK, and ACK) will be an HTTP request packet from the client computer, which will contain the information you are looking for, although you may have to look in later packets.
  15. Double-click the packet to view its details. Look for a unique signature related to the application you want to block. If the packet has been parsed properly by Network Monitor, you can view and click all of the headers separately in the details pane (the center pane) and see the full signature in the Hex pane (the bottom pane). Otherwise, you may have to search for the signature in the Hex pane.