Whitelisting Windows IIS and WebDAV Traffic

This document provides configuration instructions for request filtering and URL scanning in IIS. It includes sections on configuring request filtering through whitelisting of verbs and file extensions, setting request limits, denying dangerous URL and query string sequences, and setting hidden URL segments. The document also maps request filtering configuration options to their equivalents in URL scanning and provides a sample XML configuration file implementing the settings.

Uploaded by

Romyn Moaz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

45 views13 pages

Whitelisting Windows IIS and WebDAV Traffic

Uploaded by

Romyn Moaz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 13

1.1 Prior Functionality .........................................................................................................................

2.1 Request Filtering Configuration .................................................................................................... 9

2.1.1 Configure Whitelisting .......................................................................................................... 9
2.1.2 Determine What to Whitelist................................................................................................ 9
2.1.3 Set Request Limits ............................................................................................................... 10
2.1.4 Deny URL Sequences and Query String Sequences ............................................................ 10
2.1.5 Set Hidden Segments for Inaccessible URLs ....................................................................... 11
2.1.6 Notes on the Sample Configuration .................................................................................... 11
2.2 UrlScan Configuration ................................................................................................................. 11

Table 1: Standard HTTP Verbs/Methods from RFC 7231.............................................................................. 5

Table 2: WebDAV HTTP Verbs/Methods from RFC 4918 .............................................................................. 6
Table 3: Basic Comparison of Request Filtering and UrlScan ....................................................................... 7
Table 4: Request Filtering and UrlScan Mapping of Selected Options ......................................................... 8
Request Filtering UrlScan

Function Tag Name Setting Name Value Section Setting Name

Name

Turn on <verbs> allowUnlisted “false” Options UseAllowVerbs

Verb
Whitelisting

Turn on <fileExtensions> allowUnlisted “false” Options UseAllowExtensions

Extension
Whitelisting

Check for <requestFiltering> allowDoubleEscaping “false” Options VerifyNormalization

Double
Encoding

Deny High <requestFiltering> allowHighBitCharacters “false” Options AllowHighBitCharacters

Bit
Characters

Scan Query <requestFiltering> unescapeQueryString “true” Options UnescapeQueryString

String Again
After
Decoding
<configuration>
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping=”false” allowHighBitCharacters=”false”
unescapeQueryString=”true” >
<verbs allowUnlisted=”false” applyToWebDAV=”true” >
<add verb=”HEAD” allowed=”true” />
<add verb=”GET” allowed=”true” />
<add verb=”POST” allowed=”true” />
<add verb=”OPTIONS” allowed=”true” />
<add verb=”COPY” allowed=”true” />
</verbs>
<fileExtensions allowUnlisted=”false” applyToWebDAV=”true” >
<add fileExtension=” htm” allowed=”true” />
<add fileExtension=” html” allowed=”true” />
</fileExtensions>
<requestLimits maxAllowedContentLength=”10000”
maxUrl=”100” maxQueryString=”100” >
<headerLimits>
<add header=”User-Agent” sizeLimit=”100” />
<add header=”Translate” sizeLimit=”0” />
<add header=”If” sizeLimit=”0” />
<add header=”Lock-Token” sizeLimit=”0” />
</headerLimits>
</requestLimits>
<denyUrlSequences>
<add sequence=”..” />
<add sequence=”./” />
<add sequence=”\” />
<add sequence=”:” />
<add sequence=”%” />
<add sequence=”&” />
</denyUrlSequences>
<denyQueryStringSequences>
<add sequence=”<” />
<add sequence=”>” />
<add sequence=”@” />
</denyQueryStringSequences>
<hiddenSegments applyToWebDAV=”true” >
<add segment=”private html” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
[Options]
UseAllowVerbs=1 ;
UseAllowExtensions=1 ;
NormalizeUrlBeforeScan=1 ;
VerifyNormalization=1 ;
AllowHighBitCharacters=0 ;
UnescapeQueryString=1 ;
EnableLogging=1 ;

[AllowVerbs]
HEAD ; Allows the standard HTTP verb HEAD.
GET ; Allows the standard HTTP verb GET.
POST ; Allows the standard HTTP verb POST.
OPTIONS ; Allows the standard HTTP verb OPTIONS.
COPY ; Example of allowing one WebDAV verb, but none of the others.
; Do not include COPY unless it is required by the website.

[AllowExtensions]
.htm ;
.html ;

[DenyHeaders]
Translate: ;
If: ;
Lock-Token: ;

[DenyUrlSequences]
.. ;
./ ;
\ ;
: ;
% ;
& ;

[RequestLimits]
MaxAllowedContentLength=10000
MaxUrl=100
MaxQueryString=100
Max-User-Agent=100

[DenyQueryStringSequences]
< ;
> ;
@ ;

The Universal Principles of Successful @Moneiac_Book
No ratings yet
The Universal Principles of Successful @Moneiac_Book
218 pages
Course Presentation
No ratings yet
Course Presentation
43 pages
ActWin Getting Started - R2 Software PDF
No ratings yet
ActWin Getting Started - R2 Software PDF
7 pages
Rest API Handwritten Notes
No ratings yet
Rest API Handwritten Notes
6 pages
Splunk
100% (1)
Splunk
41 pages
IBM Security Access Manager PDF
No ratings yet
IBM Security Access Manager PDF
708 pages
OSCCE System Management Guide
No ratings yet
OSCCE System Management Guide
94 pages
JSP-Servlet Interview Questions You'll Most Likely Be Asked
From Everand
JSP-Servlet Interview Questions You'll Most Likely Be Asked
Vibrant Publishers
No ratings yet
Introduction To IIS and HTTP
No ratings yet
Introduction To IIS and HTTP
49 pages
NetScaler 10.5 Content Filtering
No ratings yet
NetScaler 10.5 Content Filtering
25 pages
Ibm HTTP Server - sg245132
No ratings yet
Ibm HTTP Server - sg245132
260 pages
IBM HTTP Server (Powered by Apache) An Integrated Solution For IBM Eserver Iseries Servers
No ratings yet
IBM HTTP Server (Powered by Apache) An Integrated Solution For IBM Eserver Iseries Servers
458 pages
Index 572
No ratings yet
Index 572
3 pages
Lecture 1 - Intro to Web Technologies
No ratings yet
Lecture 1 - Intro to Web Technologies
46 pages
Starting With AJAX
No ratings yet
Starting With AJAX
10 pages
Implementing CICS Web Services Sg247206
No ratings yet
Implementing CICS Web Services Sg247206
628 pages
Accurint Web Services Interface Guide
No ratings yet
Accurint Web Services Interface Guide
1,287 pages
Ocelot
No ratings yet
Ocelot
104 pages
Valuable Note!
No ratings yet
Valuable Note!
24 pages
C3SA Module 03 V1
No ratings yet
C3SA Module 03 V1
116 pages
Idm Rest API
No ratings yet
Idm Rest API
100 pages
Jasper Reports Server Web Services Guide
No ratings yet
Jasper Reports Server Web Services Guide
102 pages
Defacing Website
100% (1)
Defacing Website
26 pages
Redmond Iis60 Mega Guide Part 1
No ratings yet
Redmond Iis60 Mega Guide Part 1
124 pages
Application Development For CICS
No ratings yet
Application Development For CICS
384 pages
Jasper Reports Server Web Services Guide
No ratings yet
Jasper Reports Server Web Services Guide
84 pages
Securing IIS Headers
No ratings yet
Securing IIS Headers
14 pages
HTTPD Docs 2.0.63.en
0% (1)
HTTPD Docs 2.0.63.en
691 pages
Personal Webserver (Win95, 98 Environments) 5. Peer Webserver
No ratings yet
Personal Webserver (Win95, 98 Environments) 5. Peer Webserver
18 pages
Qualys WAS Lab Tutorial Supplement
No ratings yet
Qualys WAS Lab Tutorial Supplement
30 pages
OpenScape Voice V5, Application Developers Manual, Programming Guide, Issue 1 - Addfiles
No ratings yet
OpenScape Voice V5, Application Developers Manual, Programming Guide, Issue 1 - Addfiles
84 pages
SuiteTalkWebServicesPlatformGuide (IMPRESA)
0% (1)
SuiteTalkWebServicesPlatformGuide (IMPRESA)
346 pages
Restful W Eb Servic Es: Pentest Ing
No ratings yet
Restful W Eb Servic Es: Pentest Ing
65 pages
RETS 1.5 - Doc
No ratings yet
RETS 1.5 - Doc
114 pages
Content Gateway Manager Help
No ratings yet
Content Gateway Manager Help
439 pages
WebFactionUserGuide PDF
No ratings yet
WebFactionUserGuide PDF
171 pages
Pentration Testing
No ratings yet
Pentration Testing
29 pages
Wget
No ratings yet
Wget
76 pages
Ocelot Latest
No ratings yet
Ocelot Latest
98 pages
Black Hat Europe 2001 Presentation
No ratings yet
Black Hat Europe 2001 Presentation
52 pages
Adv Java Complete Notes For End Sem Exam Preparation
No ratings yet
Adv Java Complete Notes For End Sem Exam Preparation
30 pages
Ocelot
No ratings yet
Ocelot
104 pages
IIS 7: The Administrator's Guide: Alexis Eller Program Manager Microsoft Corporation
No ratings yet
IIS 7: The Administrator's Guide: Alexis Eller Program Manager Microsoft Corporation
44 pages
Docs Cherrypy Dev en Latest
No ratings yet
Docs Cherrypy Dev en Latest
273 pages
Web Application Firewall (WAF)
No ratings yet
Web Application Firewall (WAF)
11 pages
Burpsuite For Pentester - Logger++
No ratings yet
Burpsuite For Pentester - Logger++
25 pages
GNU Wget 1.20: by Hrvoje Nik Si C and Others
No ratings yet
GNU Wget 1.20: by Hrvoje Nik Si C and Others
76 pages
AS/400 HTTP Server Performance and Capacity Planning
No ratings yet
AS/400 HTTP Server Performance and Capacity Planning
224 pages
CherryPy v.18.0.2
No ratings yet
CherryPy v.18.0.2
213 pages
Suite Talk Web Services Platform Guide
No ratings yet
Suite Talk Web Services Platform Guide
193 pages
Introduction To Front
No ratings yet
Introduction To Front
4 pages
11 Jobaid HTTP JOBAID
No ratings yet
11 Jobaid HTTP JOBAID
4 pages
BarracudaWebAppFirewall AG
No ratings yet
BarracudaWebAppFirewall AG
252 pages
BarracudaWebAppFirewall AG Manual
No ratings yet
BarracudaWebAppFirewall AG Manual
252 pages
Suite Talk Web Services Platform Guide
No ratings yet
Suite Talk Web Services Platform Guide
341 pages
50 Recipes for Programming Angular
From Everand
50 Recipes for Programming Angular
Jamie Munro
4/5 (1)
Ajax in One Hour, For Beginners, Learn Coding Fast
From Everand
Ajax in One Hour, For Beginners, Learn Coding Fast
Ray Yao
No ratings yet
React Portfolio App Development: Increase your online presence and create your personal brand
From Everand
React Portfolio App Development: Increase your online presence and create your personal brand
Abdelfattah Ragab
No ratings yet
VPS Server Setup
From Everand
VPS Server Setup
L Mohan Arun
5/5 (1)
Hashicorp Certified Vault Associate Certification Case Based Practice Questions - Latest Edition
From Everand
Hashicorp Certified Vault Associate Certification Case Based Practice Questions - Latest Edition
Exam OG
No ratings yet
Angular HTTP: Connecting to the REST API
From Everand
Angular HTTP: Connecting to the REST API
Abdelfattah Ragab
No ratings yet
Oracle WebLogic Server 12c Advanced Administration Cookbook
From Everand
Oracle WebLogic Server 12c Advanced Administration Cookbook
Dalton Iwazaki
No ratings yet
Beach Peas Cowl Crochet
No ratings yet
Beach Peas Cowl Crochet
4 pages
Non Parametric Test
100% (1)
Non Parametric Test
16 pages
Introduction To Isotopes and Environmental Tracers As Indicators of Groundwater Flow
No ratings yet
Introduction To Isotopes and Environmental Tracers As Indicators of Groundwater Flow
85 pages
Q1: Defination Of: - Regular Language
No ratings yet
Q1: Defination Of: - Regular Language
8 pages
3 Limiting Probabilities
No ratings yet
3 Limiting Probabilities
4 pages
Soil Stabilization Using Crumb Rubber
No ratings yet
Soil Stabilization Using Crumb Rubber
36 pages
100 SAP ABAP Interview Questions
No ratings yet
100 SAP ABAP Interview Questions
10 pages
CS31005 Algorithm-II MA 2016
No ratings yet
CS31005 Algorithm-II MA 2016
2 pages
Mppt
No ratings yet
Mppt
2 pages
078 - S8 - Anastasios Lekkas PDF
No ratings yet
078 - S8 - Anastasios Lekkas PDF
37 pages
timing-belts-catalogue
No ratings yet
timing-belts-catalogue
38 pages
Dichotomous Key Campos
No ratings yet
Dichotomous Key Campos
14 pages
English Pro
No ratings yet
English Pro
14 pages
GEOVIA Surpac BR200215LTR LR
No ratings yet
GEOVIA Surpac BR200215LTR LR
4 pages
Calibration Lesson Plan in Science 11 MAED
No ratings yet
Calibration Lesson Plan in Science 11 MAED
3 pages
An Improved System For Brain Pathology Classification Using Hybrid Deep Learning Algorithm
No ratings yet
An Improved System For Brain Pathology Classification Using Hybrid Deep Learning Algorithm
34 pages
Fiitjee: Phase Test (JEE-Advanced)
No ratings yet
Fiitjee: Phase Test (JEE-Advanced)
15 pages
E560 CMG10 CS
No ratings yet
E560 CMG10 CS
8 pages
Rna Extraction
No ratings yet
Rna Extraction
3 pages
Doosan Co Za
No ratings yet
Doosan Co Za
20 pages
Nucleic Acids
No ratings yet
Nucleic Acids
43 pages
Semiconductor Devices Design
No ratings yet
Semiconductor Devices Design
1 page
NFC Iet Multan: Faiz-Ul-Rehman
No ratings yet
NFC Iet Multan: Faiz-Ul-Rehman
3 pages
Install Guide
No ratings yet
Install Guide
17 pages
Agile Life Cycle
100% (2)
Agile Life Cycle
41 pages
Engineering Measurements: by Shaik Himam Saheb Icfaitech, Ifhe Hyderabad
No ratings yet
Engineering Measurements: by Shaik Himam Saheb Icfaitech, Ifhe Hyderabad
42 pages
Managing The Full API Lifecycle Ebook - 0 PDF
No ratings yet
Managing The Full API Lifecycle Ebook - 0 PDF
22 pages
Ultrasonic Asme B31.3-2022
No ratings yet
Ultrasonic Asme B31.3-2022
1 page

Whitelisting Windows IIS and WebDAV Traffic

Uploaded by

Whitelisting Windows IIS and WebDAV Traffic

Uploaded by

1.1 Prior Functionality .........................................................................................................................

2.1 Request Filtering Configuration .................................................................................................... 9

Table 1: Standard HTTP Verbs/Methods from RFC 7231.............................................................................. 5

Function Tag Name Setting Name Value Section Setting Name

Turn on <verbs> allowUnlisted “false” Options UseAllowVerbs

Turn on <fileExtensions> allowUnlisted “false” Options UseAllowExtensions

Check for <requestFiltering> allowDoubleEscaping “false” Options VerifyNormalization

Deny High <requestFiltering> allowHighBitCharacters “false” Options AllowHighBitCharacters

Scan Query <requestFiltering> unescapeQueryString “true” Options UnescapeQueryString

You might also like