Request Filtering

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the Request Filtering feature page to configure filtering rules for your website. Web request filtering, similarly to FTP request filtering, lets you restrict protocol and content behavior.

Related scenarios

In this document

UI Elements for Request Filtering

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

Feature Page Elements

Element Name

Description

File Name Extensions

Specifies a list of file name extensions for which the request-filtering service allows or denies access.

Rules

Lists the filtering rules and the specific parameters for which the request-filtering service should scan. These parameters include headers, file name extensions, and deny strings.

Hidden Segments

Specifies a list of hidden segments for which the request-filtering service denies access. These segments do not display in directory listings.

URL

Specifies a list of URL sequences for which the request-filtering service allows or denies access.

HTTP Verbs

Specifies a list of HTTP verbs for which the request-filtering service allows or denies access.

Headers

Specifies the headers and their size limits for which the request-filtering service denies access.

Query Strings

Specifies the query strings for which the request-filtering service denies access.

Actions Pane Elements

Element Name

Description

Edit Feature Settings

Opens the Edit Request Filtering Settings dialog box that lets you configure general properties and request limits.

Remove

Removes a file name extension, rule, hidden segment, URL sequence, HTTP verb, header, or query string from the list.

Edit Request Filtering Settings Dialog Box

Use the Edit Request Filtering Settings dialog box to configure general settings and request limits on your Web server.

Element Name

Description

Allow unlisted file name extensions

Select this option to allow unlisted file name extensions.

Allow unlisted verbs

Select this option to allow unlisted verbs.

Allow high-bit characters

Select this option to allow high-bit characters in request filter operations. Examples of high-bit characters are: Ж, Ы, and Я.

Allow double escaping

Select this option to allow double escaping.

Maximum allowed content length (Bytes)

Specifies the maximum length, in bytes, for content.

Note

Specifying zero (0) for this value means that the length is unlimited.

Maximum URL length (Bytes)

Specifies the maximum length, in bytes, for a URL string.

Maximum query string (Bytes)

Specifies the maximum length, in bytes, for a query string.

File Name Extensions Tab

Use the File Name Extensions tab to create a list of file name extensions for which the request-filtering module allows or denies access. This helps restrict certain file types and increase security on your web server.

Feature Page Elements

Element Name

Description

File Name Extension

Displays the file name extension for which the request-filtering module either allows or denies access.

Allowed

Displays the status of the file name extension. The status is True if the file name extension is allowed, or False if the file name extension is denied.

Actions Pane Elements

Element Name

Description

Allow File Name Extension

Opens the Allow File Name Extension dialog box that lets you add a file name extension to the list of allowed file name extensions.

Deny File Name Extension

Opens the Deny File Name Extension dialog box that lets you add a file name extension to the list of denied file name extensions.

For common elements, see the Request Filtering [w8].

Allow or Deny File Name Extension Dialog Boxes

Use the Allow File Name Extension or Deny File Name Extension dialog box to add a file name extension to the list of file name extensions for which the request-filtering module will allow or deny access.

Element Name

Description

File name extension

Specifies the file name extension for which the request-filtering service either allows or denies access.

Rules Tab

Use the Rules tab to configure request-filtering rules for allowing or denying access to your Web server based on several parameters, such as headers and deny strings. For examples of filtering rules, see Common URLScan Scenarios.

Feature Page Elements

Element Name

Description

Name

Displays the name of the request-filtering rule.

Scan

Displays the value that the request-filtering rule scans for the URL, query string, or any combination thereof.

Applies To

Displays the parameters to which the request-filtering rule applies.

Deny Strings

Displays the strings to which the request-filtering rule denies access.

Actions Pane Elements

Element Name

Description

Add Filtering Rule

Opens the Add Filtering Rule dialog box that lets you add a rule with specific parameters for which to scan.

For common elements, see the Request Filtering [w8].

Add Filtering Rule Dialog Box

Use the Add Filtering Rule dialog box to add a rule with specific parameters to the request-filtering module’s rule list. This action enables the module to deny requests that fit the criteria specified by the rule.

Element Name

Description

Name

Specifies the name of the filtering rule that is added to the list.

Scan url

Select this option and the request-filtering module scans a request URL.

Scan query string

Select this option and the request-filtering module scans a request query string.

Scan Headers

Adds a user-specified header to the list of headers to search for in the request. Use the asterisk (*) to add a row to the table.

Applies To

Adds a file name extension to the list of file name extensions to which this request-filtering rule applies. Use the asterisk (*) to add a row to the table.

Deny Strings

Adds a string to the list of strings to search for in the request. If the specified string is found in the request URL, query string, or header, then the request is denied. Use the asterisk (*) to add a row to the table.

Hidden Segments Tab

Use the Hidden Segments tab to define the list of URL segments for which the request-filtering module will deny access and will exclude from directory listings. A URL segment is the part of the URL path that lies between the slash (/) marks.

Feature Page Elements

Element Name

Description

Segment

Displays the URL segment for which the request-filtering service denies access and which it does not display in directory listings.

Actions Pane Elements

Element Name

Description

Add Hidden Segment

Opens the Add Hidden Segment dialog box that lets you add a hidden segment to the list of hidden segments.

For common elements, see the Request Filtering [w8].

Add Hidden Segment Dialog Box

Use the Add Hidden Segment dialog box to add a URL segment to the list of URL segments for which the request-filtering module will deny access. A URL segment is a part of the URL path that lies between the slash (/) marks.

Element Name

Description

Hidden segment

Specifies the URL segment for which the request-filtering module denies access.

Note

URL segments that are in the hidden segments list does not appear in directory listings.

URL Tab

Use the Deny URL Sequences tab to create a list of URL sequences for which the request-filtering module will deny access. For example, you can specify “admin/config.xml” as a URL sequence, which denies requests to https://contoso.com/application/admin/config.xml.

Feature Page Elements

Element Name

Description

Deny URL Sequence

Displays the URL sequence for which the request-filtering module will deny access.

Actions Pane Elements

Element Name

Description

Allow URL

Opens the Add Always Allowed URL dialog box that lets you add a URL to the list of allowed URLs.

Deny Sequence

Opens the Add Deny Sequence dialog box that lets you add a sequence to the list of denied sequences.

For common elements, see the Request Filtering [w8].

Allow URL Dialog Box

Use the Add Always Allowed URL dialog box to add a URL sequence to the list of URL sequences for which the request-filtering module will always grant access.

Element Name

Description

URL

Specifies the URL for which the request-filtering module always grants access.

Add Deny Sequence Dialog Box

Use the Add Deny Sequence dialog box to add a URL sequence to the list of URL sequences for which the request-filtering module will deny access.

Element Name

Description

URL sequence

Specifies the URL sequence for which the request-filtering module denies access.

HTTP Verbs Tab

Use the HTTP Verbs tab to create a list of verbs for which the request-filtering module will allow or deny access. Several examples of HTTP verbs are: GET, POST, and HEAD.

Feature Page Elements

Element Name

Description

Verb

Displays the verb for which the request-filtering module either allows or denies access.

Allowed

Displays the status of the verb, which will be either True if the verb is allowed, or False if the verb is denied.

Note

Only verbs that appear in the list and have Allowed set to False will be blocked. All other verbs are allowed.

Actions Pane Elements

Element Name

Description

Allow Verb

Opens the Allow Verb dialog box that lets you add a verb to the list of allowed verbs.

Deny Verb

Opens the Deny Verb dialog box that lets you add a verb to the list of denied verbs.

For common elements, see the Request Filtering [w8].

Allow or Deny Verb Dialog Boxes

Use the Allow Verb dialog box to add a verb to the list of HTTP verbs for which the request-filtering module will allow access. Use the Deny Verb dialog box to add a verb to the list of HTTP verbs for which the request-filtering module will deny access.

Element Name

Description

Verb

Specifies the HTTP verb for which the request-filtering module either allows or denies access.

Headers Tab

Use the Headers tab to create a list of headers for which the request-filtering module will deny access if the value of a header is larger than the specified size.

Feature Page Elements

Element Name

Description

Header

Displays the header for which the request-filtering module denies access if the size is larger than the specified size.

Size Limit

Displays the maximum size allowed for the header. For example, specifying a value of 100 would limit the length of a content-type header to 100 bytes.

Actions Pane Elements

Element Name

Description

Add Header

Opens the Add Header dialog box that lets you add a header to the list of denied headers.

For common elements, see the Request Filtering [w8].

Add Header Dialog Box

Use the Add Header dialog box to specify a size limit for a particular HTTP header. If a header’s length exceeds the specified value, then the HTTP request that contains this header is denied.

Element Name

Description

Header

Specifies the header for which the request-filtering module checks the size limit.

Size limit

Specifies the maximum character length for the header’s value.

Query Strings Tab

Use the Query Strings tab to create a list of query strings for which the request-filtering module will either always allow or deny access. An example of a query string is “%3b”, which is used to catch SQL injection attempts.

Feature Page Elements

Element Name

Description

Query String

Displays the query string for which the request-filtering module either allows or denies access.

Action

Displays the status of the query string, which will be either Always allow or Deny.

Actions Pane Elements

Element Name

Description

Allow Query String

Opens the Allow Query String dialog box that lets you add a query string that the request-filtering service will always allow.

Deny Query String

Opens the Deny Query String dialog box that lets you add a query string that the request-filtering service will deny.

For common elements, see the Request Filtering [w8].

Allow or Deny Query String Dialog Boxes

Use either the Allow Query String or Deny Query String dialog box to add a query string to the list of query strings for which the request-filtering module will either always allow or deny access.

Element Name

Description

Query string

Specifies the query string for which the request-filtering service either always allows or denies access.