Scribd Logo
Upload

Welcome to Scribd!

  • Whitelisting Windows IIS and WebDAV Traffic

    Uploaded by

    Romyn Moaz
    8 views13 pages
    This document provides configuration instructions for request filtering and URL scanning in IIS. It includes sections on configuring request filtering through whitelisting of verbs and file extensions, setting request limits, denying dangerous URL and query string sequences, and setting hidden URL segments. The document also maps request filtering configuration options to their equivalents in URL scanning and provides a sample XML configuration file implementing the settings.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides configuration instructions for request filtering and URL scanning in IIS. It includes sections on configuring request filtering through whitelisting of verbs and file extensions, setting request limits, denying dangerous URL and query string sequences, and setting hidden URL segments. The document also maps request filtering configuration options to their equivalents in URL scanning and provides a sample XML configuration file implementing the settings.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views13 pages

    Whitelisting Windows IIS and WebDAV Traffic

    Uploaded by

    Romyn Moaz
    This document provides configuration instructions for request filtering and URL scanning in IIS. It includes sections on configuring request filtering through whitelisting of verbs and file extensions, setting request limits, denying dangerous URL and query string sequences, and setting hidden URL segments. The document also maps request filtering configuration options to their equivalents in URL scanning and provides a sample XML configuration file implementing the settings.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    1.1 Prior Functionality .........................................................................................................................

    2.1 Request Filtering Configuration .................................................................................................... 9


    2.1.1 Configure Whitelisting .......................................................................................................... 9
    2.1.2 Determine What to Whitelist................................................................................................ 9
    2.1.3 Set Request Limits ............................................................................................................... 10
    2.1.4 Deny URL Sequences and Query String Sequences ............................................................ 10
    2.1.5 Set Hidden Segments for Inaccessible URLs ....................................................................... 11
    2.1.6 Notes on the Sample Configuration .................................................................................... 11
    2.2 UrlScan Configuration ................................................................................................................. 11

    Table 1: Standard HTTP Verbs/Methods from RFC 7231.............................................................................. 5


    Table 2: WebDAV HTTP Verbs/Methods from RFC 4918 .............................................................................. 6
    Table 3: Basic Comparison of Request Filtering and UrlScan ....................................................................... 7
    Table 4: Request Filtering and UrlScan Mapping of Selected Options ......................................................... 8
    Request Filtering UrlScan

    Function Tag Name Setting Name Value Section Setting Name


    Name

    Turn on <verbs> allowUnlisted “false” Options UseAllowVerbs


    Verb
    Whitelisting

    Turn on <fileExtensions> allowUnlisted “false” Options UseAllowExtensions


    Extension
    Whitelisting

    Check for <requestFiltering> allowDoubleEscaping “false” Options VerifyNormalization


    Double
    Encoding

    Deny High <requestFiltering> allowHighBitCharacters “false” Options AllowHighBitCharacters


    Bit
    Characters

    Scan Query <requestFiltering> unescapeQueryString “true” Options UnescapeQueryString


    String Again
    After
    Decoding
    <configuration>
    <system.webServer>
    <security>
    <requestFiltering allowDoubleEscaping=”false” allowHighBitCharacters=”false”
    unescapeQueryString=”true” >
    <verbs allowUnlisted=”false” applyToWebDAV=”true” >
    <add verb=”HEAD” allowed=”true” />
    <add verb=”GET” allowed=”true” />
    <add verb=”POST” allowed=”true” />
    <add verb=”OPTIONS” allowed=”true” />
    <add verb=”COPY” allowed=”true” />
    </verbs>
    <fileExtensions allowUnlisted=”false” applyToWebDAV=”true” >
    <add fileExtension=” htm” allowed=”true” />
    <add fileExtension=” html” allowed=”true” />
    </fileExtensions>
    <requestLimits maxAllowedContentLength=”10000”
    maxUrl=”100” maxQueryString=”100” >
    <headerLimits>
    <add header=”User-Agent” sizeLimit=”100” />
    <add header=”Translate” sizeLimit=”0” />
    <add header=”If” sizeLimit=”0” />
    <add header=”Lock-Token” sizeLimit=”0” />
    </headerLimits>
    </requestLimits>
    <denyUrlSequences>
    <add sequence=”..” />
    <add sequence=”./” />
    <add sequence=”\” />
    <add sequence=”:” />
    <add sequence=”%” />
    <add sequence=”&amp;” />
    </denyUrlSequences>
    <denyQueryStringSequences>
    <add sequence=”&lt;” />
    <add sequence=”>” />
    <add sequence=”@” />
    </denyQueryStringSequences>
    <hiddenSegments applyToWebDAV=”true” >
    <add segment=”private html” />
    </hiddenSegments>
    </requestFiltering>
    </security>
    </system.webServer>
    </configuration>
    [Options]
    UseAllowVerbs=1 ;
    UseAllowExtensions=1 ;
    NormalizeUrlBeforeScan=1 ;
    VerifyNormalization=1 ;
    AllowHighBitCharacters=0 ;
    UnescapeQueryString=1 ;
    EnableLogging=1 ;

    [AllowVerbs]
    HEAD ; Allows the standard HTTP verb HEAD.
    GET ; Allows the standard HTTP verb GET.
    POST ; Allows the standard HTTP verb POST.
    OPTIONS ; Allows the standard HTTP verb OPTIONS.
    COPY ; Example of allowing one WebDAV verb, but none of the others.
    ; Do not include COPY unless it is required by the website.

    [AllowExtensions]
    .htm ;
    .html ;

    [DenyHeaders]
    Translate: ;
    If: ;
    Lock-Token: ;

    [DenyUrlSequences]
    .. ;
    ./ ;
    \ ;
    : ;
    % ;
    & ;

    [RequestLimits]
    MaxAllowedContentLength=10000
    MaxUrl=100
    MaxQueryString=100
    Max-User-Agent=100

    [DenyQueryStringSequences]
    < ;
    > ;
    @ ;

    You might also like