IIS
IIS-Denial of Service and SQL Injection handling
Generally, when you are hosting web sites in IIS in web farm, the denial of service and SQL injection detection parameters can be configured on the Load Balancer. However to add an extra layer of protection you can configured it within each web farm server.
This is especially handy in case of small or medium business web sites on independent servers. Below is the configuration entries to prevent image stealing and SQL injection.
If both of the entries are being they can applied to each web site under requestFiltering/filterrules as two rules in %windows%\System32\inetsrv\config\applicationHost.config
- To prevent user agents or image stealing agents. The configuration entry is made applicationhost.config
<requestFiltering> <filteringRules> <filteringRule name="imagestealing" scanUrl="false" scanQueryString="false" scanAllRaw="false"> <scanHeaders> <add requestHeader="User-agent" /> </scanHeaders> <appliesTo> <add fileExtension=".gif" /> <add fileExtension=".jpg" /> <add fileExtension=".png" /> </appliesTo> <denyStrings> <add string="leech-bot" /> </denyStrings> </filteringRule> </filteringRules> </requestFiltering>
2) To block sql injection
<requestFiltering> <filteringRules> <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true"> <appliesTo> <clear /> <add fileExtension=".asp" /> <add fileExtension=".aspx" /> </appliesTo> <denyStrings> <clear /> <add string="--" /> <add string=";" /> <add string="/*" /> <add string="@" /> <add string="char" /> <add string="alter" /> <add string="begin" /> <add string="cast" /> <add string="create" /> <add string="cursor" /> <add string="declare" /> <add string="delete" /> <add string="drop" /> <add string="end" /> <add string="exec" /> <add string="fetch" /> <add string="insert" /> <add string="kill" /> <add string="open" /> <add string="select" /> <add string="sys" /> <add string="table" /> <add string="update" /> </denyStrings> <scanHeaders> <clear /> </scanHeaders> </filteringRule> </filteringRules> </requestFiltering>
Export and Import Web Site and AppPools from IIS
One of common issues that developers ask me how can we export/import IIS Web Site and App Pool configuration when moving between servers or especially when migrating or re kicking a server to higher operating system.
This may sound easy and out of the box, but it is not. This is only possible using the command line execution but it will save a lot of time for development team from rebuilding the entire app pool settings.
Here are commands.
- To Export the App Pool configuration in IIS 7.0 and above
%windir%\system32\inetsrv\appcmd list apppool /config /xml > D:\<AppName>_apppools.xml
- To Export the Web Sites configuration in IIS 7.0 and above
%windir%\system32\inetsrv\appcmd list site /config /xml > D:\<AppName>_site.xml
- To Import the App Pool configuration in IIS 7.0 and above
%windir%\system32\inetsrv\appcmd add apppool /config /xml > D:\<AppName>_apppools.xml
- To Import the Web Sites configuration in IIS 7.0 and above
%windir%\system32\inetsrv\appcmd add site /config /xml > D:\<AppName>_site.xml
This export and import approach can be taken for deployment purposes in case you are using in DMZ environments where deploying using Web Deploy is not possible.
It is recommended to verify all the settings once the import is successfully. However the changes should very minimal and should save you lot of time.
In the Zone 