IIS-Denial of Service and SQL Injection handling

Posted on January 30, 2016 Updated on January 30, 2016

Generally, when you are hosting web sites in IIS in web farm, the denial of service and SQL injection detection parameters can be configured on the Load Balancer. However to add an extra layer of protection you can configured it within each web farm server.

This is especially handy in case of small or medium business web sites on independent servers. Below is the configuration entries to prevent image stealing and SQL injection.

If both of the entries are being they can applied to each web site under requestFiltering/filterrules as two rules in %windows%\System32\inetsrv\config\applicationHost.config

1. To prevent user agents or image stealing agents. The configuration entry is made applicationhost.config

<requestFiltering>
   <filteringRules>
      <filteringRule name="imagestealing" scanUrl="false" scanQueryString="false" scanAllRaw="false">
         <scanHeaders>
            <add requestHeader="User-agent" />
         </scanHeaders>
         <appliesTo>
            <add fileExtension=".gif" />
            <add fileExtension=".jpg" />
            <add fileExtension=".png" />
         </appliesTo>
         <denyStrings>
            <add string="leech-bot" />
         </denyStrings>
      </filteringRule>
   </filteringRules>
</requestFiltering>

2) To block sql injection

<requestFiltering>
   <filteringRules>
      <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">
         <appliesTo>
            <clear />
            <add fileExtension=".asp" />
            <add fileExtension=".aspx" />
         </appliesTo>
         <denyStrings>
            <clear />
            <add string="--" />
            <add string=";" />
            <add string="/*" />
            <add string="@" />
            <add string="char" />
            <add string="alter" />
            <add string="begin" />
            <add string="cast" />
            <add string="create" />
            <add string="cursor" />
            <add string="declare" />
            <add string="delete" />
            <add string="drop" />
            <add string="end" />
            <add string="exec" />
            <add string="fetch" />
            <add string="insert" />
            <add string="kill" />
            <add string="open" />
            <add string="select" />
            <add string="sys" />
            <add string="table" />
            <add string="update" />
         </denyStrings>
         <scanHeaders>
            <clear />
         </scanHeaders>
      </filteringRule>
   </filteringRules>
</requestFiltering>