Adding Verbs <add>

Overview

The <add> element of the <verbs> collection specifies a unique HTTP verb to add to the collection of verbs that are allowed or denied for Internet Information Services (IIS) 7.

Note

When request filtering blocks an HTTP request because of a denied HTTP verb, IIS 7 will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied:

HTTP Substatus Description
404.6 Verb Denied

This substatus allows Web administrators to analyze their IIS logs and identify potential threats.

Compatibility

Version Notes
IIS 10.0 The <add> element was not modified in IIS 10.0.
IIS 8.5 The <add> element was not modified in IIS 8.5.
IIS 8.0 The <add> element was not modified in IIS 8.0.
IIS 7.5 The <add> element was not modified in IIS 7.5.
IIS 7.0 The <add> element of the <verbs> collection was introduced in IIS 7.0.
IIS 6.0 The <verbs> element replaces the IIS 6.0 UrlScan [AllowVerbs] and [DenyVerbs] features.

Setup

The default installation of IIS 7 and later includes the Request Filtering role service or feature. If the Request Filtering role service or feature is uninstalled, you can reinstall it using the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
  4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Request Filtering. Click Next.
    Screenshot of Web Server I I S and Security pane expanded with Request Filtering selected. .
  5. On the Select features page, click Next.
  6. On the Confirm installation selections page, click Install.
  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
  3. Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Request Filtering.
    Screenshot shows Security pane expanded and Request Filtering selected.
  4. Click OK.
  5. Click Close.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
    Screenshot of Select Role Services page of the Add Role Services Wizard showing Security pane expanded and Request Filtering selected.
  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, and then Security.
  4. Select Request Filtering, and then click OK.
    Screenshot displays Security pane expanded and Request Filtering highlighted.

How To

Note for IIS 7.0 users: Some of the steps in this section may require that you install the Microsoft Administration Pack for IIS 7.0, which includes a user interface for request filtering. To install the Microsoft Administration Pack for IIS 7.0, please see the following URL:

How to deny an HTTP verb

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.

  3. In the Home pane, double-click Request Filtering.
    Screenshot of Default Web Site Home pane displaying Request Filtering feature selected.

  4. In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane.
    Screenshot of Request Filtering pane shows H T T P verbs tab. Deny Verb option is displayed in Actions pane.

  5. In the Deny Verb dialog box, enter the HTTP verb that you wish to block, and then click OK.
    Screenshot of Deny Verb dialog box with the box for entering the H T T P verb.

    For example, to prevent HTTP TRACE requests to your server, you would enter "TRACE" in the dialog box.

Configuration

Attributes

Attribute Description
allowed Required Boolean attribute.

Specifies whether the verb is allowed or denied. Setting the allowed attribute to true allows the Web server to process these verbs. Setting the allowed attribute to false prevents the Web server from processing requests.

The default value is true.
verb Required string attribute.

Specifies the name of the verb to allow or deny.

Child Elements

None.

Configuration Sample

The following example Web.config file will configure two options: it will configure IIS to deny HTTP PUT requests, and it will configure request filtering to allow WebDAV access to all HTTP verbs.

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <verbs applyToWebDAV="false">
               <add verb="PUT" allowed="false" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

Sample Code

The following code samples will configure two options: they will configure IIS to deny HTTP PUT requests for the "Default Web Site", and they will configure request filtering to allow WebDAV access to all HTTP verbs.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /verbs.applyToWebDAV:"False"

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"verbs.[verb='PUT',allowed='False']"

PowerShell

Start-IISCommitDelay

$verbs = Get-IISConfigSection -CommitPath 'Default Web Site' -SectionPath 'system.webServer/security/requestFiltering' | Get-IISConfigCollection -CollectionName 'verbs'

Set-IISConfigAttributeValue -ConfigElement $verbs -AttributeName 'applyToWebDAV' -AttributeValue $false

New-IISConfigCollectionElement -ConfigCollection $verbs -ConfigAttribute @{ 'verb'='PUT';'allowed'=$false }

Stop-IISCommitDelay

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetWebConfiguration("Default Web Site");
         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");

         ConfigurationElement verbsElement = requestFilteringSection.GetChildElement("verbs");
         verbsElement["applyToWebDAV"] = false;
         ConfigurationElementCollection verbsCollection = verbsElement.GetCollection();

         ConfigurationElement addElement = verbsCollection.CreateElement("add");
         addElement["verb"] = @"PUT";
         addElement["allowed"] = false;
         verbsCollection.Add(addElement);

         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample

   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")

      Dim verbsElement As ConfigurationElement = requestFilteringSection.GetChildElement("verbs")
      verbsElement("applyToWebDAV") = False
      Dim verbsCollection As ConfigurationElementCollection = verbsElement.GetCollection

      Dim addElement As ConfigurationElement = verbsCollection.CreateElement("add")
      addElement("verb") = "PUT"
      addElement("allowed") = False
      verbsCollection.Add(addElement)

      serverManager.CommitChanges()
   End Sub

End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");

var verbsElement = requestFilteringSection.ChildElements.Item("verbs");
verbsElement.Properties.Item("applyToWebDAV").Value = false;
var verbsCollection = verbsElement.Collection;

var addElement = verbsCollection.CreateNewElement("add");
addElement.Properties.Item("verb").Value = "PUT";
addElement.Properties.Item("allowed").Value = false;
verbsCollection.AddElement(addElement);

adminManager.CommitChanges();

VBScript

Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")

Set verbsElement = requestFilteringSection.ChildElements.Item("verbs")
verbsElement.Properties.Item("applyToWebDAV").Value = False
Set verbsCollection = verbsElement.Collection

Set addElement = verbsCollection.CreateNewElement("add")
addElement.Properties.Item("verb").Value = "PUT"
addElement.Properties.Item("allowed").Value = False
verbsCollection.AddElement(addElement)

adminManager.CommitChanges()