4.4 Ensure non-ASCII characters in URLs are not allowed - Applications

Information

This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters.

It is recommended that requests containing non-ASCII characters be rejected, where possible.

Rationale:

This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications.

Impact:

Requests containing non-ASCII characters be rejected.

Solution

The AllowHighBitCharacters Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, go to the connection, site, application, or directory to be configured

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the General section, uncheck Allow high-bit characters

Note: Disallowing high-bit ASCII characters in the URL may negatively impact the functionality of sites requiring international language support.
Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowHighBitCharacters:false

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering' -name 'allowHighBitCharacters' -value 'False'

Default Value:

When Request Filtering is installed on a system, the default behavior is to allow high-bit characters in URI.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: de700353dc111463a593db95706658e4a93e089d14ffd139f6d52860da25a29f