Training
Module
Capture Web Application Logs with App Service Diagnostics Logging - Training
Learn about how to capture trace output from your Azure web apps. View a live log stream and download logs files for offline analysis.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
by Keith Newman and Robert McMurray
This document shows you how to use common request-filter settings to improve the security of your IIS 8 web server.
Request filters restrict the types of HTTP requests that IIS 8 processes. By blocking specific HTTP requests, request filters help prevent potentially harmful requests from reaching the server. The request filter module scans incoming requests and rejects requests that are unwanted based upon the rules that you set up.
By default, IIS rejects requests to browse critical code segments. It also rejects requests for some file name extensions.
You can configure a request filter at the server-wide level and then override the configuration at a website level.
To get the most from this tutorial, you must have access to a computer that is running one of the following operating systems:
The general settings include such settings as the following:
To configure high-bit characters, use the following syntax:
appcmd set config /section:requestfiltering /allowhighbitcharacters:
true |
false
For example, to allow high-bit characters, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /allowhighbitcharacters:true
To configure double escaping, use the following syntax:
appcmd set config /section:requestfiltering /allowdoubleescaping:
true |
false
For example, to enable double escaping, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /allowdoubleescaping:true
To configure a value for the maximum allowed length of content, use the following syntax:
appcmd set config /section:requestfiltering /requestlimits.maxallowedcontentlength:
unit
The variable requestlimits.maxallowedcontentlength:
unit specifies the maximum length of content.
For example, to specify 30000000 as the maximum length of content, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /requestlimits.maxallowedcontentlength:30000000
To configure a value for the maximum allowed length of an incoming URL, use the following syntax:
appcmd set config /section:requestfiltering /requestlimits.maxurl:
unit
The variable requestlimits.maxurl:
unit specifies the maximum length of an incoming URL.
For example, to specify 4096 as the maximum incoming URL length, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /requestlimits.maxurl:4096
To configure a value for the maximum allowed length of an incoming query string, use the following syntax:
appcmd set config /section:requestfiltering /requestlimits.maxquerystring:
unit
The variable requestlimits.maxquertystring:
unit specifies the maximum length of an incoming query string.
For example, to specify 2048 as the maximum incoming query string, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /requestlimits.maxquerystring:2048
To configure a size limit for a specific HTTP header, use the following syntax:
appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='
string',sizelimit='
unit']
The variable header=
string specifies the header this restriction applies to. The variable sizelimit=
unit specifies the maximum size of this header.
For example, to specify a maximum size of 2048 for headers that include a value of contoso.com, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='contoso.com',sizelimit='2048']
For each file name extension you add, you can indicate whether to allow or reject requests for that type of file.
To configure how IIS deals with unlisted file name extensions, use the following syntax:
appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:
true |
false
For example, to deny unlisted file name extensions, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false
To configure whether file name extensions apply to WebDAV requests, use the following syntax:
appcmd set config /section:requestfiltering /fileExtensions.applyToWebDAV:
true |
false
For example, to configure IIS so that file name extensions do not apply to WebDAV requests, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /fileExtensions.applyToWebDAV:false
To add a file name extension, use the following syntax:
appcmd set config /section:requestfiltering /+fileExtensions.[fileextension='
string',allowed='true | false']
The variable fileextension
=string is the file name extension you want to allow or deny.
For example, to add an allow rule for the file name extension .xxx, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /+fileExtensions.[fileextension='.xxx',allowed='true']
To remove a rule for the file name extension .xxx, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /-fileExtensions.[fileextension='.xxx']
IIS 8 permits you to define custom filter rules that apply to incoming requests. Using this feature, you can define filters that can do the following:
This feature allows you to reject requests that contain a URL segment (for example, a folder name).
To configure whether hidden segments apply to WebDAV requests, use the following syntax:
appcmd set config /section:requestfiltering /hiddensegments.applyToWebDAV:
true |
false
For example, to configure IIS so that hidden segments do not apply to WebDAV requests, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /hiddensegments.applyToWebDAV:false
To configure a hidden segment, use the following syntax:
appcmd set config /section:requestfiltering /+hiddensegments.[segment='
string']
The variable segment=
string specifies a URL segment that is hidden.
For example, to specify that /bin is a hidden segment, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /+hiddensegments.[segment='/bin']
You can configure IIS to accept a specified URL. In addition, you can configure it to deny a specified URL sequence.
To deny a URL sequence, use the following syntax:
appcmd set config /section:requestfiltering /+denyurlsequences.[sequence='
string']
The variable sequence=
string specifies a sequence of characters in a URL that IIS is never allowed to parse.
For example, to specify that IIS never parse URLs that contain two periods, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /+denyurlsequences.[sequence='..']
You can define a list of verbs that IIS 8 accepts as part of a request. When IIS rejects a request based on this feature, the error code logged is 404.6.
To configure how IIS deals with unlisted verbs, use the following syntax:
appcmd set config /section:requestfiltering /verbs.allowunlisted:
true |
false
For example, to deny unlisted verbs, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /verbs.allowunlisted:false
To configure whether verb filtering applies to WebDAV requests, use the following syntax:
appcmd set config /section:requestfiltering /verbs.applyToWebDAV:
true |
false
For example, to configure IIS so that verb filtering does not apply to WebDAV requests, type the following at the command prompt and then press ENTER:
appcmd set config /section:requestfiltering /verbs.applyToWebDAV:false
To configure a verb to filter, use the following syntax:
appcmd set config /section:requestfiltering /+verbs.[verb='
string',allowed='
true |
false']
The variable verb=
string specifies the verb this restriction applies to.
For example, to specify GET is allowed, type the following at the command prompt, and then press ENTER:
appcmd set config /section:requestfiltering /+verbs.[verb='GET',allowed='true']
You can limit the size of HTTP request headers to improve performance and security. Headers are name/value pairs that define the operating parameters of an HTTP transaction.
You can configure IIS 8 to allow or deny specific query strings contained in the requested URL. For example, if a denied query string is found in a request URL, the request is denied.
You can use IIS logging to evaluate and optimize your request filter configuration.
The following table shows the request filter error codes that you see in the log:
Error Description | Status Code |
---|---|
Request Filtering: URL Sequence denied | 404.5 |
Request Filtering: Verb denied | 404.6 |
Request Filtering: File name extension denied | 404.7 |
Request Filtering: Denied by hidden segment | 404.8 |
Request Filtering: Denied because URL doubled escaping | 404.11 |
Request Filtering: Denied because of high bit characters | 404.12 |
Request Filtering: Denied because URL too long | 404.14 |
Request Filtering: Denied because query string too long | 404.15 |
Request Filtering: Denied because content length too large | 413.1 |
Request Filtering: Denied because request header is too long. | 431 |
Training
Module
Capture Web Application Logs with App Service Diagnostics Logging - Training
Learn about how to capture trace output from your Azure web apps. View a live log stream and download logs files for offline analysis.