Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS - iis

For security reasons I want to disable those methods through application level
so I have this web.config file:
<configuration>
<location path="index.php">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
<deny verbs="PROPFIND" users="*" />
<deny verbs="COPY" users="*" />
<deny verbs="LOCK" users="*" />
<deny verbs="UNLOCK" users="*" />
<deny verbs="PROPPATCH" users="*" />
<deny verbs="MKCOL" users="*" />
<deny verbs="MOVE" users="*" />
<deny verbs="DELETE" users="*" />
</authorization>
</system.web>
</location>
</configuration>
But this didn't work - any ideas?

Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering
if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

This worked for me but only after forcing the specific verbs to be handled by the default handler.
<system.web>
...
<httpHandlers>
...
<add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx
An easy way to test is just to deny GET and see if your site loads.

This one disables all bogus verbs and only allows GET and POST
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
</system.webServer>

For anyone looking for a UI option using IIS Manager.
Open the Website in IIS Manager
Go To Request Filtering and open the Request Filtering Window.
Go to Verbs Tab and Add HTTP Verbs to "Allow Verb..." or "Deny Verb...".
This allow to add the HTTP Verbs in the
"Deny Verb.." Collection.
Request Filtering Window in IIS Manager
Add Verb... or Deny Verb...

Related

Why doesn't IIS Authorization seem to deny access to User Groups

I've a site hosted on IIS7. The site uses Flask with wfastcgi incase that's relevant. It's not publicly facing so I'm trying to just use Windows Authorization to block user groups that I don't want to be able to access it, so I have my web.config set like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="FlaskHandler" path="*" verb="*" modules="FastCgiModule" scriptProcessor="C:\Python34\python.exe|C:\inetpub\wwwroot\mysite\wfastcgi.py" resourceType="Unspecified" />
</handlers>
<security>
<authorization>
<add accessType="Deny" users="?" />
<add accessType="Deny" users="GroupName" />
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</configuration>
This doesn't seem to have any effect; users in the AD Group "GroupName" can still load the site as normal. I've tried it with and without the following <add accessType="Allow" users="*" /> line.
What am I doing wrong here?

Access denied for login page even though i set the tag location in web.config file

I have a problem with form authentication from IIS. The problem is that i can't access the login.html file, even though a put the tag location in my web.config file. I use only form authentication.
Here is my config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.html" name="formsauth1" timeout="60" defaultUrl="index.html">
<credentials passwordFormat="Clear">
<user name="username" password="pass" />
</credentials>
</forms>
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
<location path="login.html">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

Unrecognized configuration section system.ftpServer for azure

I'm trying to configure web.config for my Azure web app service. I want to restrict the ftp access to only specific URLs. But when i am adding the tag, it is giving me the error -
Parser Error Message: Unrecognized configuration section system.ftpServer.
Can you please guide me where i am doing the mistake.
Thanks in advance
My Web.config file -
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
</system.web>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="<<FTP hostname>>">
<system.ftpServer>
<security>
<authorization>
<add accessType="Allow" roles="administrators" permissions="Read, Write" />
</authorization>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".exe" allowed="false" />
<add fileExtension=".bat" allowed="false" />
<add fileExtension=".cmd" allowed="false" />
</fileExtensions>
<requestLimits maxAllowedContentLength="1000000" maxUrl="1024" />
<hiddenSegments>
<add segment="_vti_bin" />
</hiddenSegments>
</requestFiltering>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
</ipSecurity>
</security>
</system.ftpServer>
</location>
Some verisons of IIS donot support 'system.ftpServer' configuration or you need to download ftp module manually. You can reference the artice https://www.iis.net/configreference/system.ftpserver and check your IIS version.

IIS Limit access to file + Basic Authentication

I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.

Anonymous Directory in Azure Pack

I've recently created an MVC application that leverages Windows Authentication. I have a subdirectory named "EventReceivers" that a want to allow anonymous access on. I've updated my web.config with the proper location element and all works fine on Windows Server 2012 w/ IIS8. However, when I deploy the same project to Azure pack, the files in the EventReceivers directory prompt users for credentials.
Below is my web.config snippet. Any suggestions?
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
</system.web>
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
You must also disable windows authentication within the location element like so:
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>

Resources