Share via


IIS 7.0 Admin Pack: Request Filtering

My last post talked about the Technical Preview release of the IIS 7.0 Admin Pack, and how it includes 7 new features that will help you manage your IIS 7.0.

Today I was going to start writing about more details about each feature and Bill Staples just posted something (How to (un)block directories with IIS7 web.config) that almost seems that it was planned for me to introduce one of the features in the Admin Pack, namely Request Filtering UI.

IIS 7.0 includes a feature called Request Filtering that provides additional capabilities to secure your web server, for example it will let you filter requests that are double escaped, or filter requests that are using certain HTTP Verbs, or even block requests to specific "folders", etc. I will not go into the details on this functionality, if you want to learn more about it you can see the Request Filtering articles over https://learn.iis.net

In his blog Bill mentions how you can easily configure Request Filtering using any text editor, such as notepad, and edit the web.config manually. That was required since we did not ship UI within IIS Manager for it due to time constraints and other things. But now as part of the Admin Pack we are releasing UI for managing the Request Filtering settings.

Following what Bill just showed in his blog, this is the way you would do it using the new UI instead.

1) Install IIS Admin Pack (Technical Preview)

2) Launch IIS Manager

3) Drill down using the Tree View to the site or application you want to change the settings for.

4) Enter into the new feature called Request Filtering inside the IIS category

5) Select the Hidden Segments and choose "Add Hidden Segment" from the Task List on the right

6) Add the item

As you would expect the outcome is exactly as Bill explained in his blog, just an entry within you web.config, something like:

    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment="log" />
</hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>

So as you can see the Request Filtering UI will help you discover some of the nice security settings that IIS 7.0 has. The following images show some of the additional settings you can configure, such as Verbs, Headers, URL Sequences, URL Length, Quey String size, etc.

Comments

  • Anonymous
    March 25, 2008
    One of the core priorities we focused on when building IIS 7 was to enable a rich .NET extensibility
  • Anonymous
    March 25, 2008
    One of the core priorities we focused on when building IIS 7 was to enable a rich .NET extensibility
  • Anonymous
    March 25, 2008
    One of the core priorities we focused on when building IIS 7 was to enable a rich .NET extensibility
  • Anonymous
    March 27, 2008
    The comment has been removed
  • Anonymous
    March 27, 2008
    The comment has been removed
  • Anonymous
    April 10, 2008
    Uma das prioridades principais em que nos concentramos na construção do IIS7 foi a de fornecer um modelo
  • Anonymous
    April 10, 2008
    Uma das prioridades principais em que nos concentramos na construção do IIS7 foi a de fornecer um modelo
  • Anonymous
    April 11, 2008
    Statistiche di Log, Database e altre novit
  • Anonymous
    April 12, 2008
    Hi!I've found a bug. You should read date from the log file in culture independent manner. It seems now you just use Date.Parse(dt).
  • Anonymous
    April 26, 2008
    Found this post over on ScottGu&#39;s blog today, highlights some of the new featuresof IIS7. Man, I
  • Anonymous
    May 12, 2008
    Jednym z priorytetów na którym skupiliśmy się przy budowie IIS7 było udostępnienie bogatego modelu rozszerzalności
  • Anonymous
    January 21, 2009
    Le Request Filtering sous IIS 7.0 suscite de nombreuses questions. Ceci est principalement dû au fait