Let’s open IIS 7.5 manager and check whether Request Filtering module is present or not under IIS section as shown below:
![filter]()
If it does not exist, we can install same by going “Turn on or off Windows Feature” in Control Panel and selecting same under Internet Information Services, WWW Services, Security, then Request Filtering.
![feature]()
Let’s select “Default Web Site”, double-click on Request Filtering and understand its settings:
![filter]()
We have multiple tabs to configure filtering rules for a web request.
We can use File Name Extensions tab to allow\deny a request based on its extension in the URL:
![extension]()
Here, we blocked requests having .aspx extension and IIS will return 404.7 for any .aspx requests.
We can add a new allow\deny rule by clicking Allow\Deny File Name Extension:
![config]()
In Rules tab, we can create our own custom filtering rules,
![rules]()
Here, I created a rule “Test rule” to scan URL, query string and apply it to .aspx requests and deny those having DECLARE or BEGIN keywords in it.
In Hidden Segments tab, we can specify URLs that cannot be browsed:
![filtering]()
Here, I configured a rule to block URLs that request to MyCode folder.
In URL tab, we can configure a “allow URL\Deny sequence”:
![filtering]()
Here, I configured a rule to deny sequence “~” in its URL.
In HTTP Verbs, we can configure a request based on its verbs:
![filtering]()
This setting will block any request with PUT as its HTTP verb.
In Headers tab, we can add headers and set maximum size of it:
![filtering]()
Here, I configured content-size header with its size limit as 100 bytes.
In Query String tab, we can allow\deny request based on query string:
![filtering]()
It will block any request having username as query string in its URL.
By looking into sub status code of 404 in IIS\ FREB logs, we can easily identify by which filtering rule request is blocked:
| HTTP Substatus | Description |
| 404.5 | URL Sequence Denied |
| 404.6 | Verb Denied |
| 404.7 | File Extension Denied |
| 404.8 | Hidden Namespace |
| 404.10 | Request Header Too Long |
| 404.11 | URL Double Escaped |
| 404.12 | URL Has High Bit Chars |
| 404.13 | Content Length Too Large |
| 404.14 | URL Too Long |
| 404.15 | Query String Too Long |
| 404.18 | Query String Sequence Denied |
| 404.19 | Denied by Filtering Rule |
Instead of IIS Manager, We can use appcmd.exe to configure it with the following command:
C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:sy
stem.webServer/security/requestFiltering /+"verbs.[verb='GIVE',allowed='false']"
This will deny access to requests having GIVE as HTTP Verbs:
![verb]()
We can click on “Edit Feature Settings” under Actions pane to configure general request filter options like Max allowed URL, query string, allowed content length [useful in file uploads] :
![setting]()
This feature remained the same in IIS 8, 8.5 and above settings will still apply. This feature is very helpful to allow\deny requests based on URL, headers, HTTP verbs etc. for better security.
I am ending things here on Request Filtering, I hope this article will be helpful for all.
Read more articles on IIS: