The <denyUrlSequences> element contains a collection of <add> elements that specify sequences of characters that IIS will deny, which helps prevent URL-based attacks on the Web server.
For example, using two periods in a URL ("..") will instruct a server to process the URL in the next higher directory, but it may also indicate that an attacker is trying to gain access to areas outside of the content area. Blocking that pattern of characters will remove this chance for an attacker being able to exploit this URL sequence.
Note: When request filtering blocks an HTTP request because of a denied URL sequence, IIS 7.0 will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied:
| HTTP Substatus |
Description |
404.5 |
URL Sequence Denied |
This substatus allows Web administrators to analyze their IIS logs and identify potential threats.
| |
IIS 7.0 |
IIS 6.0 |
| Notes |
The <denyUrlSequences> element of the <requestFiltering> collection is new in IIS 7.0. |
The <denyUrlSequences> element replaces the IIS 6.0 UrlScan [DenyUrlSequences] features. |
The default installation of IIS 7.0 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.
Windows Server 2008
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then World Wide Web Services, then Security.
- Select Request Filtering, and then click OK.
Note: The steps in this section require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:
http://learn.iis.net/page.aspx/415/
How to deny a URL sequence
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the Deny URL Sequences tab, then click Add URL Sequence... in the Actions pane.
- In the Add Deny Sequence dialog box, enter the URL sequence that you wish to block, and then click OK.
For example, to prevent directory transversal on your server, you would enter two periods ("..") in the dialog box.
Attributes
None.
Child Elements
| Element |
Description |
add |
Optional element.
Adds a sequence to the collection of denied URL sequences. |
clear |
Optional element.
Removes all references to sequences from the <denyUrlSequences> collection. |
remove |
Optional element.
Removes a reference to a sequence from the <denyUrlSequences> collection. |
Configuration Sample
The following example Web.config file will deny access to three URL sequences. The first sequence prevents directory transversal, the second sequence prevents access to alternate data streams, and the third sequence prevents backslashes from being used in URLs.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence=".." />
<add sequence=":" />
<add sequence="\" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>
The following code samples will deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").
AppCmd.exe
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']"
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']"
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']"
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetWebConfiguration("Default Web Site");
ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");
ConfigurationElementCollection denyUrlSequencesCollection = requestFilteringSection.GetCollection("denyUrlSequences");
ConfigurationElement addElement = denyUrlSequencesCollection.CreateElement("add");
addElement["sequence"] = @"..";
denyUrlSequencesCollection.Add(addElement);
ConfigurationElement addElement1 = denyUrlSequencesCollection.CreateElement("add");
addElement1["sequence"] = @":";
denyUrlSequencesCollection.Add(addElement1);
ConfigurationElement addElement2 = denyUrlSequencesCollection.CreateElement("add");
addElement2["sequence"] = @"\";
denyUrlSequencesCollection.Add(addElement2);
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")
Dim denyUrlSequencesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("denyUrlSequences")
Dim addElement As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
addElement("sequence") = ".."
denyUrlSequencesCollection.Add(addElement)
Dim addElement1 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
addElement1("sequence") = ":"
denyUrlSequencesCollection.Add(addElement1)
Dim addElement2 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
addElement2("sequence") = "\"
denyUrlSequencesCollection.Add(addElement2)
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection;
var addElement = denyUrlSequencesCollection.CreateNewElement("add");
addElement.Properties.Item("sequence").Value = "..";
denyUrlSequencesCollection.AddElement(addElement);
var addElement1 = denyUrlSequencesCollection.CreateNewElement("add");
addElement1.Properties.Item("sequence").Value = ":";
denyUrlSequencesCollection.AddElement(addElement1);
var addElement2 = denyUrlSequencesCollection.CreateNewElement("add");
addElement2.Properties.Item("sequence").Value = "\\";
denyUrlSequencesCollection.AddElement(addElement2);
adminManager.CommitChanges();
VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection
Set addElement = denyUrlSequencesCollection.CreateNewElement("add")
addElement.Properties.Item("sequence").Value = ".."
denyUrlSequencesCollection.AddElement(addElement)
Set addElement1 = denyUrlSequencesCollection.CreateNewElement("add")
addElement1.Properties.Item("sequence").Value = ":"
denyUrlSequencesCollection.AddElement(addElement1)
Set addElement2 = denyUrlSequencesCollection.CreateNewElement("add")
addElement2.Properties.Item("sequence").Value = "\"
denyUrlSequencesCollection.AddElement(addElement2)
adminManager.CommitChanges()