IIS 7 and Above
Recommended setting for allowHighBitCharacters
Last post Mar 16, 2012 12:44 PM by fab777
Mar 16, 2012 12:14 PM|SaintNick|LINK
IIS7 configuration security
Mar 16, 2012 12:21 PM|fab777|LINK
IIS 7 include natively what has to be added with URLScan in IIS6.
Without URLScan, IIS6 will have the same behavior as IIS7 with a default configuration on this point.
So it's strongly recommended to filter High bit characters, so I recommend you to set to false on your IIS 7 configuration
[code]appcmd.exe set config /section:requestfiltering /allowhighbitcharacters:false[/code]
Mar 16, 2012 12:35 PM|SaintNick|LINK
Mar 16, 2012 12:44 PM|fab777|LINK
Why the recommended setting is 'false'? For security purpose I guess... ;)
It will prevent somme attacks, that's it.