« Previous Next »

• 09-02-2006, 11:19 PM

  leonzhou Joined on 09-03-2006, 2:53 AM Posts 3

  How to override parent level setting in IIS7 Reply Contact Hi, I am apparently traped by the new request filtering feature in IIS7. I red about the tech doc about request filtering and tried to turn off the file extension filtering in my public listed folder by adding: <requestFiltering>   <fileExtensions allowUnlisted="true" >     <add fileExtension=".asp" allowed="false"/>   </fileExtensions> </requestFiltering> But my IIS returned me HTTP Error 500.19 on the <requestFiltering> line: "This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault='Deny'), or set explicitly by a location tag with overrideMode='Deny' or the legacy allowOverride='false'." The public folder is a virtual directory located under Default Web Site. But I have lost in how to override this parrent setting. Could anyone point me to the right direction? Thanks

• 09-05-2006, 4:00 PM

  In reply to

  anilr Joined on 05-23-2006, 6:13 PM Redmond, WA Posts 2,343

  Re: How to override parent level setting in IIS7 Reply Contact The following command will unlock this section globally. %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/requestFiltering If you only want unlock it for a particular site/app, you can do %windir%\system32\inetsrv\appcmd.exe unlock config "SiteName/app/url" -section:system.webServer/security/requestFiltering - Anil Anil Ruia Senior Software Design Engineer IIS Core Server

• 09-05-2006, 9:51 PM

  In reply to

  leonzhou Joined on 09-03-2006, 2:53 AM Posts 3	Re: How to override parent level setting in IIS7 Reply Contact Heaps of thanks Anil. BTW, do you know anywhere that I can find more info about this kind of advanced operation? Regards, Leon

• 09-07-2006, 4:15 AM

  In reply to

  anilr Joined on 05-23-2006, 6:13 PM Redmond, WA Posts 2,343	Re: How to override parent level setting in IIS7 Reply Contact You can find more information about IIS7 admin interfaces at http://www.iis.net/default.aspx?tabid=7&subtabid=73 and about appcmd specifically at http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=954&p=1   Anil Ruia Senior Software Design Engineer IIS Core Server

• 09-09-2006, 8:24 AM

  In reply to

  leonzhou Joined on 09-03-2006, 2:53 AM Posts 3

  Re: How to override parent level setting in IIS7 Reply Contact Thanks for the links Anilr. However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory. Now I'm pretty sure that I have the StaticFile handler with the request path * enabled for the directory, but I do not see the MIME Types feature in the admin interface (I've installed all components of IIS7). Do you know where I should configure the MIME Types? Thanks

• 10-17-2006, 1:51 PM

  In reply to

  aarnott Joined on 05-13-2003, 4:18 PM Kirkland, WA Posts 1

  Re: How to override parent level setting in IIS7 Reply Contact However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory.  Use this command to open up all MIME types (and you can easily modify the command to suit your needs): %windir%\system32\inetsrv\appcmd.exe set config /section:staticContent /+[fileExtension='.*',mimeType='application/octet-stream'] Andrew L Arnott .NET Compact Framework

• 10-18-2006, 12:36 PM

  In reply to

  anilr Joined on 05-23-2006, 6:13 PM Redmond, WA Posts 2,343

  Re: How to override parent level setting in IIS7 Reply Contact You probably never want to do what aarnott suggested (except for troubleshooting maybe) - you would be bypassing one of the security features of IIS to protect against canonicalization bugs - it would make more sense to add particular extensions you want to serve as static files to the list. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-29-2007, 5:32 PM

  In reply to

  Switche Joined on 11-26-2007, 8:46 PM Posts 9

  Re: How to override parent level setting in IIS7 Reply Contact In response to anilr's last comment here; can someone provide a simple example of how a canonicalization bug can be exploited due to a Mime Map allowing access to .* file types? I can understand the inherent file serving vulnerability of serving all unknown file extensions as application/octet-stream, but I don't see the connection of canonicalization bugs to this Mime Map. Thank you

• 11-29-2007, 7:27 PM

  In reply to

  anilr Joined on 05-23-2006, 6:13 PM Redmond, WA Posts 2,343

  Re: How to override parent level setting in IIS7 Reply Contact There are many different canonicalization that file-systems in windows (and specifically NTFS) can do to the file-name being opened - so both "c:\foo.asp::$DATA" and "c:\foo.asp." ends up going to c:\foo.asp - so, if you have serving of any extension allowed, your asp script could get served as a static file to the client (including any database names in it etc) - of course, IIS blocks the examples I listed even if you have serving of any extension allowed - but, there is possiblity of other canonicalization traps and it is always nice to have defense in depth. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-26-2008, 1:26 AM

  In reply to

  ElhamHafezi Joined on 11-26-2008, 6:23 AM Posts 1	Re: How to override parent level setting in IIS6 Reply Contact Hi Anil  When I run the first command I will get following message: "Can not read configuration file due to insufficient permissions." How can I solve the issue? Thanks

• 12-09-2008, 6:07 PM

  In reply to

  OzzieP Joined on 12-09-2008, 11:05 PM Posts 1	Re: How to override parent level setting in IIS7 Reply Contact Anil - When I run the command on a 64 bit Vista system I get an error message that "Cannot read the configuration file due to insufficient permission".  I am already an administrator.  Do I need something special?  I assume we run the command from the command prompt.

• 12-09-2008, 7:58 PM

  In reply to

  anilr Joined on 05-23-2006, 6:13 PM Redmond, WA Posts 2,343	Re: How to override parent level setting in IIS7 Reply Contact Did you run command prompt with "run as administrator"?  For more info, search for UAC. Anil Ruia Senior Software Design Engineer IIS Core Server