Hidden Segments <hiddenSegments>
Overview
The <hiddenSegments> element contains a collection of <add> elements that identify certain URLs IIS 7 will make inaccessible to clients.
For example, on Web servers that are hosting ASP.NET content, IIS 7 blocks several of the ASP.NET-related paths for you; Web.config, bin, App_Code, etc. Blocking these URL segments reduce the chance of an attacker being able to exploit these URLs for information.
Note: When request filtering blocks an HTTP request because of a hidden URL segment, IIS 7 will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied:
| HTTP Substatus | Description |
|---|---|
404.8 |
Hidden Namespace |
This substatus allows Web administrators to analyze their IIS logs and identify potential threats.
Compatibility
| Version | Notes |
|---|---|
| IIS 7.5 | The <hiddenSegments> element was not modified in IIS 7.5. |
| IIS 7.0 | The <hiddenSegments> element of the <requestFiltering> collection was introduced in IIS 7.0. |
| IIS 6.0 | The <hiddenSegments> element replaces the IIS 6.0 UrlScan [DenyUrlSequences] features. |
Setup
The default installation of IIS 7 includes the Request Filtering role service. If the Request Filtering role service is uninstalled, you can reinstall it using the following steps.
Windows Server 2008 or Windows Server 2008 R2
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista or Windows 7
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then World Wide Web Services, and then Security.
- Select Request Filtering, and then click OK.
How To
Note for IIS 7.0 users: Some of the steps in this section may require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:
How to add a hidden segment
- Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
- In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
- In the Home pane, double-click Request Filtering.
- In the Request Filtering pane, click the Hidden Segments tab, and then click Add Hidden Segment... in the Actions pane.
- In the Add Hidden Segment dialog box, enter the relative path that you want to hide, and then click OK.
Configuration
Attributes
| Attribute | Description |
|---|---|
applyToWebDAV |
Optional Boolean attribute. Specifies whether these settings should also apply to WebDAV requests. |
Child Elements
| Element | Description |
|---|---|
add |
Optional element. Adds a segment to the collection of hidden segments. |
clear |
Optional element. Removes all references to segments from the <hiddenSegments> collection. |
remove |
Optional element. Removes a reference to a segment from the <hiddenSegments> collection. |
Configuration Sample
The following example Web.config file will configure two options: it will configure IIS to deny access to requests for the "_private" folder, and it will configure request filtering to allow WebDAV access to hidden segments.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments applyToWebDAV="false">
<add segment="_private" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Sample Code
The following code samples will configure two options: they will configure IIS to deny access to requests for the "_private" folder in the "Default Web Site", and they will configure request filtering to allow WebDAV access to hidden segments.
AppCmd.exe
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /hiddenSegments.applyToWebDAV:"False" appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_private']"
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetWebConfiguration("Default Web Site");
ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");
ConfigurationElement hiddenSegmentsElement = requestFilteringSection.GetChildElement("hiddenSegments");
hiddenSegmentsElement["applyToWebDAV"] = false;
ConfigurationElementCollection hiddenSegmentsCollection = hiddenSegmentsElement.GetCollection();
ConfigurationElement addElement = hiddenSegmentsCollection.CreateElement("add");
addElement["segment"] = @"_private";
hiddenSegmentsCollection.Add(addElement);
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")
Dim hiddenSegmentsElement As ConfigurationElement = requestFilteringSection.GetChildElement("hiddenSegments")
hiddenSegmentsElement("applyToWebDAV") = False
Dim hiddenSegmentsCollection As ConfigurationElementCollection = hiddenSegmentsElement.GetCollection
Dim addElement As ConfigurationElement = hiddenSegmentsCollection.CreateElement("add")
addElement("segment") = "_private"
hiddenSegmentsCollection.Add(addElement)
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var hiddenSegmentsElement = requestFilteringSection.ChildElements.Item("hiddenSegments");
hiddenSegmentsElement.Properties.Item("applyToWebDAV").Value = false;
var hiddenSegmentsCollection = hiddenSegmentsElement.Collection;
var addElement = hiddenSegmentsCollection.CreateNewElement("add");
addElement.Properties.Item("segment").Value = "_private";
hiddenSegmentsCollection.AddElement(addElement);
adminManager.CommitChanges();
VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set hiddenSegmentsElement = requestFilteringSection.ChildElements.Item("hiddenSegments")
hiddenSegmentsElement.Properties.Item("applyToWebDAV").Value = False
Set hiddenSegmentsCollection = hiddenSegmentsElement.Collection
Set addElement = hiddenSegmentsCollection.CreateNewElement("add")
addElement.Properties.Item("segment").Value = "_private"
hiddenSegmentsCollection.AddElement(addElement)
adminManager.CommitChanges()