4

Does IIS7 have an in-built mechanism, or are extensions available, for providing web-application-firewall type behavior?

For example, dozens of successive attempts come in that look like scan attempts (eg http://linux.m2osw.com/zmeu-attack). Or dozens come in with obvious XSS or maybe SQL Injection attributes. I'm curious if IIS can respond, perhaps by dropping the request entirely before forwarding on to the application server. I'm thinking of something perhaps like mod_security, but for IIS

marc esher
  • 287
  • 1
  • 4
  • 9

2 Answers2

5

The Microsoft UrlScan tool is probably a good thing for you to look at. Microsoft does a fairly poor job, IMO, promoting the tool. You can find some good third-party references on it, thought. In a nutshell, it's an add-on to IIS that allows you to create filtering rules for requests and has a logging mechanism adjunct to IIS's own logging. It's a pretty neat tool.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
3

The Request Filtering Module is a built-in module (installable as an IIS Role Service through Roles in Server Manager) that has rough feature parity with URLScan, but uses the IIS configuration system instead of INI files.

Wade's blog covers a sample dictionary to prevent common SQL Injection attacks.

TristanK
  • 8,953
  • 2
  • 27
  • 39