1

How can I restrict HTTP methods to those required by the MOSS07 application(s) using IIS6?

Update

This is what was written in the document

IIS6 should be used to restrict HTTP methods to those required by the MOSS07 application(s).

I also searched some books and saw something curious in O'Reilly's Sharepoint 2007 by James Pyles and others.

There is no real suppported way to use HTTP POST and HTTP GET because of the web.config settings and the static definition of the WSDL. In the web.config

<protocols> 
 <remove name="HttpGet">
 <remove name="HttpPost">
 <remove name="HttpPostLocalHost">
 <add name="Documentation">
</protocols>

If we do this in the Web.Config file, would it solve the problem?

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Are you referring to GET, POST, PUT methods, or parameters of the HTTP requests? More info would help – Andy Oct 30 '09 at 13:04
  • I actually do not know. This is to be done from Security purview. Some of the methods which are used by MOSS2007 have to blocked.. I even dont know how to block / unblock HTTP Methods. A guidence to that would be helpful. –  Oct 30 '09 at 14:16
  • Please provide more information. If you're following a document, paste the specific instructions here, then it's easier for us to offer guidance. – Scott Forsyth Oct 30 '09 at 17:41

2 Answers2

1

One way of doing this is to put your web-server behind a reverse-proxy and restrict the HTTP methods in the reverse-proxy. It is possible to compile pound and run it on Windows/Cygwin and pound can already do this automatically. However, it should not be too difficult to write a simple socket programme to do this in your favourite language..

sybreon
  • 7,357
  • 1
  • 19
  • 19
  • thanks for the suggestion Sybreon. I am looking to do this more or less within IIS as its been mentioned in one of the security related document. –  Nov 04 '09 at 11:11
0

If you want to block certain HTTP methods (verbs), you can do that in IIS 6.0 with URLScan.

I think the web.config entries you posted are for a web service that is intended to only be accessible over the SOAP method, but I don't know if that's what you actually want do to.

You can also restrict the methods allowed for each application extension in IIS Admin. These settings are behind the Configuration button on the Home Directory tab.

jlupolt
  • 884
  • 1
  • 7
  • 10