Home > Forums > IIS 7 > IIS7 - Security > Request filtering fileExtensions and default document issue

Thread: Request filtering fileExtensions and default document issue

Last post 04-27-2009 5:03 AM by davide marzucco. 6 replies.

Average Rating Rate It (5)Thank you for the rating!

RSS

Page 1 of 1 (7 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

04-23-2009, 12:30 PM

davide marzucco
Joined on 09-27-2008, 3:36 AM
Italy
Posts 9

Request filtering fileExtensions and default document issue

Reply Contact

Hi all, I'm just working on locking down IIS7 with request filtering.
To avoid any misunderstanding here it is the requestFiltering node from my applicationHost.config file:

Setting allowUnlisted="false" in the fileExtensions node, causes my root site not to serve anymore the default document. That is, if I browse for http://www.mysite.com I receive a 404 not found, being the request for / blocked by the request filtering file extensions rule, although I configured the default document to default.aspx.
Despite, browsing for http://www.mysite.com/default.aspx everything works fine.
Confirmation comes when changing just allowUnlisted="true" in the fileExtensions node: in this case the default document is served by IIS, according to the configuration.

I'm thinking this could be solved with some particular entry in the fileExtensions section. Can someone help me on this please?

You should agree that for end-users using a short url (www.mysite.com) is much more confortable and user-friendly than having to type a "complex" URL with the home document.

Thank you in advance,
Regards,
Davide

Tags: iis7 request filtering file extensions default document

04-25-2009, 1:02 AM In reply to

lextm
Joined on 10-22-2008, 4:18 AM
Shanghai, PRC
Posts 1,417

Re: Request filtering fileExtensions and default document issue

Reply Contact

If you received a 404 status code when allowUnlisted = false, then please follow this KB article to know which sub status code occurs.

http://support.microsoft.com/kb/943891

Once you know the sub status code, it is easy to know which request filtering rule needs to be tuned.

Lex Li
Support Engineer at Microsoft
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

04-25-2009, 6:04 AM In reply to

davide marzucco
Joined on 09-27-2008, 3:36 AM
Italy
Posts 9

Re: Request filtering fileExtensions and default document issue

Reply Contact

Thank you lextm for your reply, but unfortunately I found no news on the issue. You're right, surfing that URL on the local server, I can see the detailed IIS error code, which is 404.7, that is a file extension denied. But I already knew this, as I wrote, changing allowUnlisted="true" the problem is not issued anymore.

The real question is: which fileExtension has to be allowed explicitly to allow the request to / resource ?

Only when I set no filter on the fileExtension, IIS serves the / resource, and after that, the redirection to the defaul document occurs.

Hope you can understand my concern.

Anyway, thank you.

04-25-2009, 8:04 AM In reply to

lextm
Joined on 10-22-2008, 4:18 AM
Shanghai, PRC
Posts 1,417

Re: Request filtering fileExtensions and default document issue

Reply Contact

Hi Davide,

I can understand your concern about security.

But if you configure allowUnlisted=false, you are telling IIS to block everything unlisted. That of course includes "/" which contains no extension information at all.

This behavior is reasonable IMO.

Lex Li
Support Engineer at Microsoft
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

04-27-2009, 3:46 AM In reply to

davide marzucco
Joined on 09-27-2008, 3:36 AM
Italy
Posts 9

Re: Request filtering fileExtensions and default document issue

Reply Contact

Hi Lex, thank you again for your reply. I was afraid of this conclusion. We can't get the server secure and user-friendly at the same time! What's your opinion on having a company site unreachable at www.company.com ? We'll have to tell everybody to type www.company.com/default.aspx to reach the homepage...

I agree with you, enabling that feature, I asked IIS not to serve /, but I suppose that having the default document feature be overridden by the request filtering, is not so reasonable.

I'm looking further for some workaround, keeping the famous allowUnlisted=true option.

Regards,
Davide

04-27-2009, 4:50 AM In reply to

lextm
Joined on 10-22-2008, 4:18 AM
Shanghai, PRC
Posts 1,417

Re: Request filtering fileExtensions and default document issue

Reply Contact

Hi Davide,

Don't be upset. I just noticed that there is a way to allow "/". This requires you to add an extra Allow rule.

1. Click "Allow File Name Extension..."

2. Type "." (a dot) in the dialog and click OK.

Then you can access http://localhost/ to test if it works also on your box.

In this way, other unknown extensions are still being blocked.

Regards,

Lex Li
Support Engineer at Microsoft
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

04-27-2009, 5:03 AM In reply to

davide marzucco
Joined on 09-27-2008, 3:36 AM
Italy
Posts 9

Re: Request filtering fileExtensions and default document issue

Reply Contact

That's it!! You're the one Lex!!! Thank you sooooooooooooo much!!

I tried many other possibilities, setting "/", or "", but with no luck (and indeed I was trying to have luck!!)

The "." (dot) is the obvious solution, but I was not aware of that.

Now I'm happy and feel secure!!

This solution should be offered as a guide or how-to for locking down IIS with request filtering based on a need-to-have principle. I started from here and probably this guide could include this solution!

This is the Site for IIS resources!

Regards,
Davide

Page 1 of 1 (7 items)