7. March 2013 12:05
To secure the IIS 7.x one of the recommendation is to change the Request Filtering => FIle Extensions: To Allow only the known extensions.
For example : Default values in IIS 7.x Request Filtering => File Name Extension on IIS
Ideally it should be (ONLY needed and known extensions Allowed)
Tip: Instead of deleting Each and every entry manually. You can use <clear /> in web.config . Then add entries from IIS UI
To get the list of extension needed by your application you can parse your website IIS log
C:\Program Files (x86)\Log Parser 2.2>Logparser "SELECT EXTRACT_EXTENSION(cs-uri-stem) As Extension FROM 'ex130309.log' GROUP BY Extension" -o:datagrid -i:W3C
Now we will Uncheck the “Allow unknown File Extensions” in Edit Feature Settings in Request Filtering Action Pane so that IIS should only honor the above listed extensions
Here the actual problem started upon browsing http://localhost/ I got IIS error 404.7 but IF I browse http://locahost/iisstart.htm everything works!
(404.7 means File extension denied by Request Filtering ) Well I’m browsing without extension to the root “/”. To fix this nuisance
Add an allowed Entry for “.” Dot without Quotes
Happy to Securing IIS
Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution
toward blog's maintenance(to keep it Ads free )