IIS 7.0 Admin Pack: Request Filtering

  • Article

My last post talked about the Technical Preview release of the IIS 7.0 Admin Pack, and how it includes 7 new features that will help you manage your IIS 7.0.

Today I was going to start writing about more details about each feature and Bill Staples just posted something (How to (un)block directories with IIS7 web.config) that almost seems that it was planned for me to introduce one of the features in the Admin Pack, namely Request Filtering UI.

IIS 7.0 includes a feature called Request Filtering that provides additional capabilities to secure your web server, for example it will let you filter requests that are double escaped, or filter requests that are using certain HTTP Verbs, or even block requests to specific "folders", etc. I will not go into the details on this functionality, if you want to learn more about it you can see the Request Filtering articles over https://learn.iis.net

In his blog Bill mentions how you can easily configure Request Filtering using any text editor, such as notepad, and edit the web.config manually. That was required since we did not ship UI within IIS Manager for it due to time constraints and other things. But now as part of the Admin Pack we are releasing UI for managing the Request Filtering settings.

Following what Bill just showed in his blog, this is the way you would do it using the new UI instead.

1) Install IIS Admin Pack (Technical Preview)

2) Launch IIS Manager

3) Drill down using the Tree View to the site or application you want to change the settings for.

4) Enter into the new feature called Request Filtering inside the IIS category

5) Select the Hidden Segments and choose "Add Hidden Segment" from the Task List on the right

6) Add the item

As you would expect the outcome is exactly as Bill explained in his blog, just an entry within you web.config, something like:

    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment="log" />
</hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>

So as you can see the Request Filtering UI will help you discover some of the nice security settings that IIS 7.0 has. The following images show some of the additional settings you can configure, such as Verbs, Headers, URL Sequences, URL Length, Quey String size, etc.