Hi, having previously migrated from IIS 6 platform to IIS 7, we have kept the default IIS6 Urlscan setting of allowHighBitCharacters=False. However it seems that in IIS7 request filtering the default has changed to True. Are there any specific considerations
to take into account, especially re security, when switching this setting to True? What is best practice for IIS lockdown? Any feedback appreciated. Nick
SaintNick
10 Posts
Recommended setting for allowHighBitCharacters
Mar 16, 2012 11:14 AM|LINK
Request Filtering IIS7 configuration security allowHighBitCharacters
fab777
922 Posts
Re: Recommended setting for allowHighBitCharacters
Mar 16, 2012 11:21 AM|LINK
Hi,
IIS 7 include natively what has to be added with URLScan in IIS6.
Without URLScan, IIS6 will have the same behavior as IIS7 with a default configuration on this point.
So it's strongly recommended to filter High bit characters, so I recommend you to set to false on your IIS 7 configuration
[code]appcmd.exe set config /section:requestfiltering /allowhighbitcharacters:false[/code]
> [url=http://learn.iis.net/page.aspx/143/use-request-filtering/]http://learn.iis.net/page.aspx/143/use-request-filtering/[/url]
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
SaintNick
10 Posts
Re: Recommended setting for allowHighBitCharacters
Mar 16, 2012 11:35 AM|LINK
fab777
922 Posts
Re: Recommended setting for allowHighBitCharacters
Mar 16, 2012 11:44 AM|LINK
Why the recommended setting is 'false'? For security purpose I guess... ;)
It will prevent somme attacks, that's it.
> [url=http://technet.microsoft.com/en-us/library/cc995081.aspx]http://technet.microsoft.com/en-us/library/cc995081.aspx[/url]
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI