4.4 Ensure non-ASCII characters in URLs are not allowed - Applications

Information

This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters. It is recommended that requests containing non-ASCII characters be rejected, where possible.

This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications.

Solution

The AllowHighBitCharacters Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
1. Open Internet Information Services (IIS) Manager
2. In the Connections pane, go to the connection, site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. Click Edit Feature Settings... in the Actions pane
5. Under the General section, uncheck Allow high-bit characters

Note: Disallowing high-bit ASCII characters in the URL may negatively impact the functionality of sites requiring international language support.

To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt: %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /allowHighBitCharacters:false

See Also

https://workbench.cisecurity.org/files/165

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10

Plugin: Windows

Control ID: 5fe10eb9d63d8b60abb0cffdab03fa40811c582223aeb3b9834ebcfc0f82fdaf