4.4 Ensure non-ASCII characters in URLs are not allowed

Information

This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters. It is recommended that requests containing non-ASCII characters be rejected, where possible.

Rationale:

This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications.

Solution

The AllowHighBitCharacters Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, go to the connection, site, application, or directory to be configured

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the General section, uncheck Allow high-bit characters

Note: Disallowing high-bit ASCII characters in the URL may negatively impact the functionality of sites requiring international language support.
To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowHighBitCharacters:false

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10

Plugin: Windows

Control ID: 0eb811f1d448bc81395158b51d01d9b260d741a01a25c42900bd9daae6837ad2