FTP Hidden Segments <hiddenSegments>

Overview

The <hiddenSegments> element contains a collection of <add> elements that identify certain URLs that FTP 7 will make inaccessible to FTP clients.

For example, on FTP servers that are hosting ASP.NET content, you could block ASP.NET-related paths such as bin, App_Code, etc. Blocking these URL segments reduces the chance of someone uploading untrusted code.

Note

When request filtering blocks an FTP request because of a hidden URL segment, FTP 7 will return an FTP error to the client and log the following FTP substatus that identifies the reason that the request was denied:

FTP Substatus Description
8 Hidden segment was detected in the requested path.

This substatus allows FTP administrators to analyze their IIS logs and identify potential threats.

Compatibility

Version Notes
IIS 10.0 The <hiddenSegments> element was not modified in IIS 10.0.
IIS 8.5 The <hiddenSegments> element was not modified in IIS 8.5.
IIS 8.0 The <hiddenSegments> element was not modified in IIS 8.0.
IIS 7.5 The <hiddenSegments> element of the <requestFiltering> element ships as a feature of IIS 7.5.
IIS 7.0 The <hiddenSegments> element of the <requestFiltering> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 The FTP service in IIS 6.0 did not support request filtering.

Note

The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

https://www.iis.net/expand/FTP

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.

  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.

  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.

  4. On the Server Roles page, expand Web Server (IIS), and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will need to select FTP Extensibility, in addition to FTP Service.
    Screenshot of the Server Roles page. F T P Extensibility is highlighted and selected. .

  5. Click Next, and then on the Select features page, click Next again.

  6. On the Confirm installation selections page, click Install.

  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.

  3. Expand Internet Information Services, and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of the Programs and Features page. F T P Extensibility is highlighted and selected.

  4. Click OK.

  5. Click Close.

Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).

  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.

  5. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of the Select Role Services page of the Add Role Services Wizard. F T P services is highlighted and selected.

  6. Click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Results page, click Close.

Windows 7

  1. On the taskbar, click Start, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.

  3. Expand Internet Information Services, and then FTP Server.

  4. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of the Programs and Features page. F T P Server is expanded and F T P Service is selected.

  5. Click OK.

Windows Server 2008 or Windows Vista

  1. Download the installation package from the following URL:

  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

Note

FTP Request Filtering did not have a user interface in the FTP 7.0 release; the FTP Request Filtering UI was added in the FTP 7.5 release.

How to add an FTP hidden segment

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the site or directory for which you want to modify your request filtering settings.

  3. In the Home pane, double-click FTP Request Filtering.

  4. In the FTP Request Filtering pane, click the Hidden Segments tab.
    Screenshot of the F T P Request Filtering page. The Hidden Segments tab is selected.

  5. Click Add Hidden Segment... in the Actions pane.
    Screenshot of the Add Hidden Segment dialog box. Underscore private is written in the Hidden segment box.

  6. In the Add Hidden Segment dialog box, enter the path that you want to hide.

  7. Click OK.

Configuration

The <hiddenSegments> element of the <requestFiltering> element is configured at the global, site or URL level.

Attributes

None.

Child Elements

Element Description
add Optional element.

Adds a segment to the collection of hidden segments.
clear Optional element.

Removes all references to segments from the <hiddenSegments> collection.
remove Optional element.

Removes a reference to a segment from the <hiddenSegments> collection.

Configuration Sample

The following sample illustrates several security-related configuration settings in the <system.ftpServer> element for an FTP site. More specifically, the <location> settings in this example demonstrate how to:

  • Specify an FTP authorization rule for read and write access for the administrators group.
  • Specify FTP request filtering options that deny *.exe, *.bat, and *.cmd files.
  • Specify FTP request limits for a maximum content length of 1000000 bytes and a maximum URL length of 1024 bytes.
  • Block FTP access to the _vti_bin virtual directory, which is used with the FrontPage Server Extensions.
  • Specify FTP IP filtering options that allow access from 127.0.0.1 and deny access from the 169.254.0.0/255.255.0.0 range of IP addresses.
<location path="ftp.example.com">
  <system.ftpServer>
    <security>
      <authorization>
        <add accessType="Allow" roles="administrators" permissions="Read, Write" />
      </authorization>
      <requestFiltering>
        <fileExtensions allowUnlisted="true">
          <add fileExtension=".exe" allowed="false" />
          <add fileExtension=".bat" allowed="false" />
          <add fileExtension=".cmd" allowed="false" />
        </fileExtensions>
        <requestLimits maxAllowedContentLength="1000000" maxUrl="1024" />
        <hiddenSegments>
          <add segment="_vti_bin" />
        </hiddenSegments>
      </requestFiltering>
      <ipSecurity enableReverseDns="false" allowUnlisted="true">
        <add ipAddress="127.0.0.1" allowed="true" />
        <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
      </ipSecurity>
    </security>
  </system.ftpServer>
</location>

Sample Code

The following examples add two FTP hidden segments to the Default Web Site; the first hidden segment denies access to the "bin" path and the second segment denies access to the "App_Code" path.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"hiddenSegments.[segment='bin']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"hiddenSegments.[segment='App_Code']" /commit:apphost

Note

You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;


internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection requestFilteringSection = config.GetSection("system.ftpServer/security/requestFiltering", "Default Web Site");
         ConfigurationElementCollection hiddenSegmentsCollection = requestFilteringSection.GetCollection("hiddenSegments");

         ConfigurationElement addElement = hiddenSegmentsCollection.CreateElement("add");
         addElement["segment"] = @"bin";
         hiddenSegmentsCollection.Add(addElement);

         ConfigurationElement addElement1 = hiddenSegmentsCollection.CreateElement("add");
         addElement1["segment"] = @"App_Code";
         hiddenSegmentsCollection.Add(addElement1);

         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.ftpServer/security/requestFiltering", "Default Web Site")
      Dim hiddenSegmentsCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("hiddenSegments")

      Dim addElement As ConfigurationElement = hiddenSegmentsCollection.CreateElement("add")
      addElement("segment") = "bin"
      hiddenSegmentsCollection.Add(addElement)

      Dim addElement1 As ConfigurationElement = hiddenSegmentsCollection.CreateElement("add")
      addElement1("segment") = "App_Code"
      hiddenSegmentsCollection.Add(addElement1)

      serverManager.CommitChanges()
   End Sub
End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var requestFilteringSection = adminManager.GetAdminSection("system.ftpServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var hiddenSegmentsCollection = requestFilteringSection.ChildElements.Item("hiddenSegments").Collection;

var addElement = hiddenSegmentsCollection.CreateNewElement("add");
addElement.Properties.Item("segment").Value = "bin";
hiddenSegmentsCollection.AddElement(addElement);

var addElement1 = hiddenSegmentsCollection.CreateNewElement("add");
addElement1.Properties.Item("segment").Value = "App_Code";
hiddenSegmentsCollection.AddElement(addElement1);

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set requestFilteringSection = adminManager.GetAdminSection("system.ftpServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set hiddenSegmentsCollection = requestFilteringSection.ChildElements.Item("hiddenSegments").Collection

Set addElement = hiddenSegmentsCollection.CreateNewElement("add")
addElement.Properties.Item("segment").Value = "bin"
hiddenSegmentsCollection.AddElement(addElement)

Set addElement1 = hiddenSegmentsCollection.CreateNewElement("add")
addElement1.Properties.Item("segment").Value = "App_Code"
hiddenSegmentsCollection.AddElement(addElement1)

adminManager.CommitChanges()