1.4.6 Disallow Unlisted File Extensions

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers.

Solution

The allowUnlisted Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure at the server level using the IIS Manager GUI: Open Internet Information Services (IIS) Manager In the Connections pane, select the server In the Home pane, double-click Request Filtering Click Edit Feature Settings... in the Actions pane Under the General section, uncheck Allow unlisted file name extensions To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt: %windir%\system32\inetsrv\appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false

See Also

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1

Plugin: Windows

Control ID: 1eea52e504f3193befe8f410c671125725b719b39733cdfa3bb1ee030499f1e9