Request Filtering Rule <filteringRule>

Overview

The <filteringRule> element adds a rule to the collection of custom request filtering rules in the <filteringRules> element.

Each <filteringRule> element specifies a collection of custom attributes and elements that define the request filtering behavior based on user-defined criteria. For example, each request filtering rule may contain the following attributes:

  • denyUnescapedPercent - This attribute specifies whether request filtering should deny the request if it contains percent symbols that are not escaped.
  • scanAllRaw - This attribute specifies whether request filtering should scan the raw headers for the strings that are specified in the denyStrings element.
  • scanQueryString - This attribute specifies whether request filtering should scan the query string for the strings that are specified in the denyStrings element. If the unescapeQueryString attribute of the <requestFiltering> element is set to true, then two scans will be made of the query string: one scan with the raw query string and a second scan with the query string unescaped.
  • scanUrl - This attribute specifies whether request filtering should scan the URL for the strings that are specified in the denyStrings element.

In addition, each request filtering rule may contain the following child elements:

  • <appliesTo> - Specifies the list of file name extensions to which the request filtering rule applies.

    Note

    If this section is blank, the rule applies to all requests.

  • <denyStrings> - Specifies the list of strings to deny for the request filtering rule.

  • <scanHeaders> - Specifies the list of HTTP headers to scan.

Note

When request filtering blocks an HTTP request because of a filtering rule, IIS 7 will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied:

HTTP Substatus Description
404.19 Denied by filtering rule

This substatus allows Web administrators to analyze their IIS logs and identify potential threats.

Compatibility

Version Notes
IIS 10.0 The <filteringRule> element was not modified in IIS 10.0.
IIS 8.5 The <filteringRule> element was not modified in IIS 8.5.
IIS 8.0 The <filteringRule> element was not modified in IIS 8.0.
IIS 7.5 The <filteringRule> element of the <filteringRules> element ships as a feature of IIS 7.5.
IIS 7.0 The <filteringRule> element of the <filteringRules> element was introduced as an update for IIS 7.0 that is available through Microsoft Knowledge Base Article 957508 (https://support.microsoft.com/kb/957508).
IIS 6.0 The <filteringRules> element is roughly analogous to the RuleList feature that was added to URLScan 3.0.

Setup

The default installation of IIS 7 and later includes the Request Filtering role service or feature. If the Request Filtering role service or feature is uninstalled, you can reinstall it using the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
  4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Request Filtering. Click Next.
    Screenshot that shows Request Filtering selected for Windows 2012. .
  5. On the Select features page, click Next.
  6. On the Confirm installation selections page, click Install.
  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
  3. Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Request Filtering.
    Screenshot that shows Request Filtering selected for Windows 8.
  4. Click OK.
  5. Click Close.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
    Screenshot that shows Request Filtering selected for Windows Server 2008.
  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, and then Security.
  4. Select Request Filtering, and then click OK.
    Screenshot that shows Request Filtering selected for Windows Vista or Windows 7.

How To

How to add a request filtering rule

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the site, application, or directory for which you want to configure request filtering.

  3. In the Home pane, double-click Request Filtering.

  4. In the Request Filtering pane, click the Rules tab.
    Screenshot that shows the Request Filtering pane.

  5. In the Actions pane, click Add Filtering Rule.

  6. Enter the following information for the filtering rule in the Add Filtering Rule dialog:

    • Enter a friendly name for the filtering rule in the Name field.
    • Select Scan url if you want the filtering rule to scan the URL stub for the request.
    • Select Scan query string if you want the filtering rule to scan the query string for the request.
    • Enter any HTTP headers to scan in the Scan Headers collection.
    • Enter the file name extensions to use with the filtering rule in the Applies To collection.
    • Enter the collection of strings to deny for the filtering rule in the Deny Strings collection.
      Screenshot that shows the Add Filtering Rule dialog box.
  7. Click OK to close the Add Filtering Rule dialog.

Configuration

The <filteringRule> element of the <filteringRules> element is configured at the site, application, or directory level.

Attributes

Attribute Description
denyUnescapedPercent Optional Boolean attribute.

true if request filtering should deny the request if it contains percent symbols that are not escaped; otherwise, false.

The default value is true.
name Required string attribute.

Specifies the name of the request filtering rule.

There is no default value.
scanAllRaw Optional Boolean attribute.

true if request filtering should scan the raw headers for the strings that are specified in the denyStrings element; otherwise, false.

The default value is false.
scanQueryString Optional Boolean attribute.

true if request filtering should scan the query string for the strings that are specified in the denyStrings element; otherwise, false.

If the unescapeQueryString attribute of the <requestFiltering> element is set to true, then two scans will be made of the query string: one scan with the raw query string and a second scan with the query string unescaped.

The default value is false.
scanUrl Optional Boolean attribute.

true if request filtering should scan the URL for the strings that are specified in the denyStrings element; otherwise, false.

The default value is false.

Child Elements

Element Description
appliesTo Optional element.

Specifies the list of file name extensions to which the request filtering rule applies.
denyStrings Optional element.

Specifies the list of strings to deny for the request filtering rule.
scanHeaders Optional element.

Specifies the list of HTTP headers to scan.

Configuration Sample

The following sample displays a <requestFiltering> element that uses the <denyStrings>, <appliesTo>, and <scanHeaders> elements to define a request filtering rule that will prevent image stealing (leeching) for a specific user agent.

<requestFiltering>
   <filteringRules>
      <filteringRule name="Block Image Leeching" scanUrl="false" scanQueryString="false" scanAllRaw="false">
         <scanHeaders>
            <add requestHeader="User-agent" />
         </scanHeaders>
         <appliesTo>
            <add fileExtension=".gif" />
            <add fileExtension=".jpg" />
            <add fileExtension=".png" />
         </appliesTo>
         <denyStrings>
            <add string="leech-bot" />
         </denyStrings>
      </filteringRule>
   </filteringRules>
</requestFiltering>

The following sample displays a <requestFiltering> element that defines a request filtering rule that prevents SQL injection attacks by denying a collection of text strings in query strings that are often used in SQL injection attacks.

<requestFiltering>
   <filteringRules>
      <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">
         <appliesTo>
            <clear />
            <add fileExtension=".asp" />
            <add fileExtension=".aspx" />
            <add fileExtension=".php" />
         </appliesTo>
         <denyStrings>
            <clear />
            <add string="--" />
            <add string=";" />
            <add string="/*" />
            <add string="@" />
            <add string="char" />
            <add string="alter" />
            <add string="begin" />
            <add string="cast" />
            <add string="create" />
            <add string="cursor" />
            <add string="declare" />
            <add string="delete" />
            <add string="drop" />
            <add string="end" />
            <add string="exec" />
            <add string="fetch" />
            <add string="insert" />
            <add string="kill" />
            <add string="open" />
            <add string="select" />
            <add string="sys" />
            <add string="table" />
            <add string="update" />
         </denyStrings>
         <scanHeaders>
            <clear />
         </scanHeaders>
      </filteringRule>
   </filteringRules>
</requestFiltering>

Sample Code

The following examples demonstrate how to use the <denyStrings>, <appliesTo>, and <scanHeaders> elements to add a request filtering rule for the Default Web Site that will prevent image stealing (leeching) for a specific user agent. Here is the scenario for this example: If you detected that images on your web site were being leeched by a particular user agent, you could create a request filtering rule that denies access to image files for that specific user agent. In this particular example, the request filtering rule will search the HTTP user-agent header for the string "leech-bot," and will deny access to GIF, JPG, and PNG files if the user-agent header contains the search string.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching',scanUrl='False',scanQueryString='False',scanAllRaw='False']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching'].scanHeaders.[requestHeader='User-agent']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching'].appliesTo.[fileExtension='.gif']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching'].appliesTo.[fileExtension='.jpg']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching'].appliesTo.[fileExtension='.png']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"filteringRules.[name='Block Image Leeching'].denyStrings.[string='leech-bot']"

PowerShell

Start-IISCommitDelay

$filteringRules = Get-IISConfigSection -CommitPath 'Default Web Site' -SectionPath 'system.webServer/security/requestFiltering' | Get-IISConfigCollection -CollectionName 'filteringRules' 
New-IISConfigCollectionElement -ConfigCollection $filteringRules -ConfigAttribute @{ 'name' = 'Block Image Leeching'; 'scanUrl' = $false; 'scanQueryString' = $false; 'scanAllRaw' = $false; } 

$Rule = Get-IISConfigCollectionElement -ConfigCollection $filteringRules -ConfigAttribute @{ 'name' = 'Block Image Leeching' }

$ruleScanHeaders = Get-IISConfigCollection -ConfigElement $Rule -CollectionName 'scanHeaders' 
New-IISConfigCollectionElement -ConfigCollection $ruleScanHeaders -ConfigAttribute @{ 'requestHeader' = 'User-Agent' }

$ruleAppliesTo = Get-IISConfigCollection -ConfigElement $Rule -CollectionName 'appliesTo'
New-IISConfigCollectionElement -ConfigCollection $ruleAppliesTo -ConfigAttribute @{ 'fileExtension' = '.gif' }
New-IISConfigCollectionElement -ConfigCollection $ruleAppliesTo -ConfigAttribute @{ 'fileExtension' = '.jpg' }
New-IISConfigCollectionElement -ConfigCollection $ruleAppliesTo -ConfigAttribute @{ 'fileExtension' = '.png' }

$ruleDenyStrings = Get-IISConfigCollection -ConfigElement $Rule -CollectionName 'denyStrings'
New-IISConfigCollectionElement -ConfigCollection $ruleDenyStrings -ConfigAttribute @{ 'string' = 'leech-bot' }

Stop-IISCommitDelay

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetWebConfiguration("Default Web Site");
         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");
         ConfigurationElementCollection filteringRulesCollection = requestFilteringSection.GetCollection("filteringRules");

         ConfigurationElement filteringRuleElement = filteringRulesCollection.CreateElement("filteringRule");
         filteringRuleElement["name"] = @"Block Image Leeching";
         filteringRuleElement["scanUrl"] = false;
         filteringRuleElement["scanQueryString"] = false;
         filteringRuleElement["scanAllRaw"] = false;

         ConfigurationElementCollection scanHeadersCollection = filteringRuleElement.GetCollection("scanHeaders");
         ConfigurationElement addElement = scanHeadersCollection.CreateElement("add");
         addElement["requestHeader"] = @"User-agent";
         scanHeadersCollection.Add(addElement);

         ConfigurationElementCollection appliesToCollection = filteringRuleElement.GetCollection("appliesTo");
         ConfigurationElement addElement1 = appliesToCollection.CreateElement("add");
         addElement1["fileExtension"] = @".gif";
         appliesToCollection.Add(addElement1);
         ConfigurationElement addElement2 = appliesToCollection.CreateElement("add");
         addElement2["fileExtension"] = @".jpg";
         appliesToCollection.Add(addElement2);
         ConfigurationElement addElement3 = appliesToCollection.CreateElement("add");
         addElement3["fileExtension"] = @".png";
         appliesToCollection.Add(addElement3);

         ConfigurationElementCollection denyStringsCollection = filteringRuleElement.GetCollection("denyStrings");
         ConfigurationElement addElement4 = denyStringsCollection.CreateElement("add");
         addElement4["string"] = @"leech-bot";
         denyStringsCollection.Add(addElement4);

         filteringRulesCollection.Add(filteringRuleElement);
         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration


Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")
      Dim filteringRulesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("filteringRules")

      Dim filteringRuleElement As ConfigurationElement = filteringRulesCollection.CreateElement("filteringRule")
      filteringRuleElement("name") = "Block Image Leeching"
      filteringRuleElement("scanUrl") = False
      filteringRuleElement("scanQueryString") = False
      filteringRuleElement("scanAllRaw") = False

      Dim scanHeadersCollection As ConfigurationElementCollection = filteringRuleElement.GetCollection("scanHeaders")
      Dim addElement As ConfigurationElement = scanHeadersCollection.CreateElement("add")
      addElement("requestHeader") = "User-agent"
      scanHeadersCollection.Add(addElement)

      Dim appliesToCollection As ConfigurationElementCollection = filteringRuleElement.GetCollection("appliesTo")
      Dim addElement1 As ConfigurationElement = appliesToCollection.CreateElement("add")
      addElement1("fileExtension") = ".gif"
      appliesToCollection.Add(addElement1)
      Dim addElement2 As ConfigurationElement = appliesToCollection.CreateElement("add")
      addElement2("fileExtension") = ".jpg"
      appliesToCollection.Add(addElement2)
      Dim addElement3 As ConfigurationElement = appliesToCollection.CreateElement("add")
      addElement3("fileExtension") = ".png"
      appliesToCollection.Add(addElement3)

      Dim denyStringsCollection As ConfigurationElementCollection = filteringRuleElement.GetCollection("denyStrings")
      Dim addElement4 As ConfigurationElement = denyStringsCollection.CreateElement("add")
      addElement4("string") = "leech-bot"
      denyStringsCollection.Add(addElement4)

      filteringRulesCollection.Add(filteringRuleElement)
      serverManager.CommitChanges()
   End Sub
End Module

JavaScript

adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var filteringRulesCollection = requestFilteringSection.ChildElements.Item("filteringRules").Collection;

var filteringRuleElement = filteringRulesCollection.CreateNewElement("filteringRule");
filteringRuleElement.Properties.Item("name").Value = "Block Image Leeching";
filteringRuleElement.Properties.Item("scanUrl").Value = false;
filteringRuleElement.Properties.Item("scanQueryString").Value = false;
filteringRuleElement.Properties.Item("scanAllRaw").Value = false;

var scanHeadersCollection = filteringRuleElement.ChildElements.Item("scanHeaders").Collection;
var addElement = scanHeadersCollection.CreateNewElement("add");
addElement.Properties.Item("requestHeader").Value = "User-agent";
scanHeadersCollection.AddElement(addElement);

var appliesToCollection = filteringRuleElement.ChildElements.Item("appliesTo").Collection;
var addElement1 = appliesToCollection.CreateNewElement("add");
addElement1.Properties.Item("fileExtension").Value = ".gif";
appliesToCollection.AddElement(addElement1);
var addElement2 = appliesToCollection.CreateNewElement("add");
addElement2.Properties.Item("fileExtension").Value = ".jpg";
appliesToCollection.AddElement(addElement2);
var addElement3 = appliesToCollection.CreateNewElement("add");
addElement3.Properties.Item("fileExtension").Value = ".png";
appliesToCollection.AddElement(addElement3);

var denyStringsCollection = filteringRuleElement.ChildElements.Item("denyStrings").Collection;
var addElement4 = denyStringsCollection.CreateNewElement("add");
addElement4.Properties.Item("string").Value = "leech-bot";
denyStringsCollection.AddElement(addElement4);

filteringRulesCollection.AddElement(filteringRuleElement);
adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set filteringRulesCollection = requestFilteringSection.ChildElements.Item("filteringRules").Collection

Set filteringRuleElement = filteringRulesCollection.CreateNewElement("filteringRule")
filteringRuleElement.Properties.Item("name").Value = "Block Image Leeching"
filteringRuleElement.Properties.Item("scanUrl").Value = False
filteringRuleElement.Properties.Item("scanQueryString").Value = False
filteringRuleElement.Properties.Item("scanAllRaw").Value = False

Set scanHeadersCollection = filteringRuleElement.ChildElements.Item("scanHeaders").Collection
Set addElement = scanHeadersCollection.CreateNewElement("add")
addElement.Properties.Item("requestHeader").Value = "User-agent"
scanHeadersCollection.AddElement(addElement)

Set appliesToCollection = filteringRuleElement.ChildElements.Item("appliesTo").Collection
Set addElement1 = appliesToCollection.CreateNewElement("add")
addElement1.Properties.Item("fileExtension").Value = ".gif"
appliesToCollection.AddElement(addElement1)
Set addElement2 = appliesToCollection.CreateNewElement("add")
addElement2.Properties.Item("fileExtension").Value = ".jpg"
appliesToCollection.AddElement(addElement2)
Set addElement3 = appliesToCollection.CreateNewElement("add")
addElement3.Properties.Item("fileExtension").Value = ".png"
appliesToCollection.AddElement(addElement3)

Set denyStringsCollection = filteringRuleElement.ChildElements.Item("denyStrings").Collection
Set addElement4 = denyStringsCollection.CreateNewElement("add")
addElement4.Properties.Item("string").Value = "leech-bot"
denyStringsCollection.AddElement(addElement4)

filteringRulesCollection.AddElement(filteringRuleElement)
adminManager.CommitChanges()