Recently I was asked about implementing IIS request filtering in SharePoint 2010.
There are a couple of options when implementing this.
- Allow unlisted file name extensions
- Allow unlisted verbs
- Allow high bit characters
- Allow double escaping.
We will focus on just two of these options "Allow double escaping" and "Allow unlisted file name extensions". By default all of the above options are enabled in IIS but security teams like to harden applications and so may ask for these to be disabled.
Allow double escaping:
For SharePoint do not disable the option for allow double escaping as most customers use special characters and spaces, these will cause IIS to issue an 401.11 error message. Here is a good article on this . http://support.microsoft.com/kb/942076
Allow unlisted file name extensions
Allow unlisted file name extensions is a way for IIS to essentially create a "white list" of file types that are allowed. This sounds like something easy to setup. First we need to get a list of file extensions that we have running in our environment right now. The easiest way to do this is to use Logparser against your existing IIS logs.
Here is an example I used for one of my sites:
logparser -i:IISW3C -o:csv "SELECT distinct EXTRACT_EXTENSION( cs-uri-stem ) AS Extension from C:\inetpub\logs\LogFiles\W3SVC1600315409\*" -q > c:\extension.csv
This will create a CSV file called extension.csv, which we can later modify to create a BAT file to use appcmd to add the file into the allowed file extensions. If you attempt to load a page that is not in the list of approved extensions you will get a 404.7 error from IIS. http://support.microsoft.com/kb/942045
The command to add the extension .ASPX to the allowed list is below, you would need to repeat this command for all extensions listed in extension.csv :
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"fileExtensions.[fileExtension='.ASPX',allowed='True']"
After setting all my known extensions to allow, I found that I could not load my home page by typing http://contoso.com but I could load the home page if I typed http://contoso.com/Sitepages/home.aspx . Turns out that you need to add "." as an extension. http://blogs.msdn.com/b/lexli/archive/2009/06/05/iis-7-dot-tricks-part-ii.aspx . After this the web site loads but when I try and load my managed metadata service application, I get an error "The server method 'Check Permission' failed." I am also having some search issues. Looking through the IIS logs I find my 404.7 but the extension for the URI does not look like a normal URI.
/_vti_bin/taxonomyinternalservice.json/CheckPermission - 10000 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 404 7
/_vti_bin/client.svc/ProcessQuery - 10000 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET4.0C;+.NET4.0E) 404 7 0 93
So it seems that even using logparser we won't get all the extensions. The first extension above is for JSON but with the /CheckPermission following it, we will not get the extension with our logparser query. SVC is another extension that will not get pulled up with our log parser query. After adding these two extensions, I am able to browse my SharePoint sites.
Next let's try loading SharePoint Designer and see how that works. Dang, looks like SharePoint is not installed
Looking at the IIS logs I don't see any 404 errors. Let's disable request filtering and take a look. Now SharePoint Designer loads. So let's look at the IIS logs again.You will see entries like below:
/_vti_bin/shtml.dll/_vti_rpc - 80 CONTOSO\Administrator ::1 MSFrontPage/14.0 200 0 0 171
/_vti_bin/_vti_aut/author.dll - 80 CONTOSO\Administrator ::1 MSFrontPage/14.0 200 0 0 218
/_vti_bin/owssvr.dll Cmd=DisplayPost 80 - ::1 MSFrontPage/14.0 401 1 2148074254 0
Looks like we need to add DLL as an allowed extension. After adding this extension and turning request filtering back on, I still can't get the site to open in Designer. Looking at the IIS logs this time I have several 404.7 errors (See Below):
GET /_vti_inf.html - 80 - ::1 Mozilla/4.0+(compatible;+MS+FrontPage+14.0) 404 7 0 0
POST /_vti_bin/shtml.exe/_vti_rpc - 80 - ::1 MSFrontPage/14.0 404 7 0 31
Finally I can open my SharePoint Site using SharePoint Designer with request filtering turned on! As you navigate around and start to edit pages, you may find other file extensions that need to be added and you may find that some of the extensions you need are already added but are set to allowed equal false. As you encounter these extensions you will want to consider your security posture and decide if you really need to enable these particular extensions.
The minimal extensions that I found I required just to load the default page and to open in SharePoint Designer are:
If you would like more information on SharePoint and LogParser please download this document. http://www.microsoft.com/en-us/download/confirmation.aspx?id=4616