Configure Request Filters in IIS 7

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

When you want to restrict the types of HTTP requests your Web server will process, you can configure IIS 7 to analyze specific criteria for each incoming request. In the past, this configuration required that you download the UrlScan Version 2.5 security tool. However, IIS 7 simplifies the filtering process and now incorporates the functionality of the UrlScan Version 2.5 security tool.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Request Filters Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

To filter HTTP requests

You can perform this procedure by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

None

Command Line

Use the following sections to configure request filtering by using Appcmd.exe.

Configuring global request filtering options

To configure high-bit characters, use the following syntax:

appcmd set config /section:requestfiltering /allowhighbitcharacters:true | false

For example, to allow high-bit characters, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /allowhighbitcharacters:true

To configure double escaping, use the following syntax:

appcmd set config /section:requestfiltering /allowdoubleescaping:true | false

For example, to enable double escaping, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /allowdoubleescaping:true

Configuring file name extensions

To configure how IIS should deal with unlisted file name extensions, use the following syntax:

appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:true | false

For example, to deny unlisted file name extensions, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false

To configure whether file name extensions should apply to WebDAV requests, use the following syntax:

appcmd set config /section:requestfiltering /fileExtensions.applyToWebDAV:true | false

For example, to configure IIS so that file name extensions do not apply to WebDAV requests, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /fileExtensions.applyToWebDAV:false

To add a new file name extension, use the following syntax:

appcmd set config /section:requestfiltering /+fileExtensions.[fileextension='.string**',allowed='true | false']**

The variable fileextension string is the file name extension you want to allow or deny.

For example, to add an allow rule for the file name extension .xxx, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /+fileExtensions.[fileextension='.xxx**',allowed='true']**

To remove a rule for the file name extension .xxx, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /-fileExtensions.[fileextension='.xxx**']**

Configure request limits

To configure a value for the maximum allowed length of content, use the following syntax:

**appcmd set config /section:requestfiltering /requestlimits.maxallowedcontentlength:**unit

The variable requestlimits.maxallowedcontentlength unit specifies the maximum length of content.

For example, to specify 30000000 as the maximum length of content, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /requestlimits.maxallowedcontentlength:30000000

To configure a value for the maximum allowed length of an incoming URL, use the following syntax:

**appcmd set config /section:requestfiltering /requestlimits.maxurl:**unit

The variable requestlimits.maxurl unit specifies the maximum length of an incoming URL.

For example, to specify 4096 as the maximum incoming URL length, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /requestlimits.maxurl:4096

To configure a value for the maximum allowed length of an incoming query string, use the following syntax:

**appcmd set config /section:requestfiltering /requestlimits.maxquerystring:**unit

The variable requestlimits.maxquertystring unit specifies the maximum length of an incoming query string.

For example, to specify 2048 as the maximum incoming query string, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /requestlimits.maxquerystring:2048

To configure a size limit for a specific HTTP header, use the following syntax:

appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='string',sizelimit='unit']

The variable header string specifies the header this restriction applies to. The variable sizelimit unit specifies the maximum size of this header.

For example, to specify a maximum size of 2048 for headers that include a value of contoso.com, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='contoso.com',sizelimit='2048']

Configure verbs

To configure how IIS should deal with unlisted verbs, use the following syntax:

appcmd set config /section:requestfiltering /verbs.allowunlisted:true | false

For example, to deny unlisted verbs, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /verbs.allowunlisted:false

To configure whether verb filtering should apply to WebDAV requests, use the following syntax:

appcmd set config /section:requestfiltering /verbs.applyToWebDAV:true | false

For example, to configure IIS so that verb filtering does not apply to WebDAV requests, type the following at the command prompt and then press ENTER:

appcmd set config /section:requestfiltering /verbs.applyToWebDAV:false

To configure a verb to filter, use the following syntax:

appcmd set config /section:requestfiltering /+verbs.[verb='string',allowed='true | false']

The variable verb string specifies the verb this restriction applies to.

For example, to specify GET is allowed, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /+verbs.[verb='GET',allowed='true']

Configure hidden segments

To configure whether hidden segments should apply to WebDAV requests, use the following syntax:

appcmd set config /section:requestfiltering /hiddensegments.applyToWebDAV:true | false

For example, to configure IIS so that hidden segments do not apply to WebDAV requests, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /hiddensegments.applyToWebDAV:false

To configure a hidden segment, use the following syntax:

appcmd set config /section:requestfiltering /+hiddensegments.[segment='string']

The variable segment string specifies a URL segment that is hidden.

For example, to specify that /bin is a hidden segment, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /+hiddensegments.[segment='/bin']

Configure deny URL sequences

To deny a URL sequence, use the following syntax:

appcmd set config /section:requestfiltering /+denyurlsequences.[sequence='string']

The variable sequence string specifies a sequence of characters in a URL that IIS is never allowed to parse.

For example, to specify that IIS should never parse URLs that contain two periods, type the following at the command prompt, and then press ENTER:

appcmd set config /section:requestfiltering /+denyurlsequences.[sequence='..']

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

Configuration

The procedure in this topic affects the following configuration elements:

<requestFiltering>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.

WMI

Use the following WMI classes, methods, or properties to perform this procedure:

  • RequestFilteringSection class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.