Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prevent directory traversal

Make sure that the short file name is not allowed on the server. This is achieved by editing the registry.

  1. Search regedit in windows server

  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

  3. Find key NtfsDisable8dot3NameCreation

  4. Double click to set the value to 1

This will prohibit hackers to do directory traversal with short file name.

Set IIS URL filtering

Set up IIS to filter URLs on forbidden characters.

  1. Open IIS- Double click request filtering.

  2. Add deny sequence (eg. tilde, backslash etc) for the url

...

Denying Specific File Extensions in Request Filtering

  1. Open IIS Manager:

  2. Launch IIS Manager and navigate to the site or server where you want to apply the restriction.

  3. Access Request Filtering:

    • Double-click on Request Filtering in the features view.

  4. Add a Deny Rule:

    • In the right-hand panel, click Edit Feature Settings.

    • Under the File Name Extensions tab:

      1. Click Deny File Name Extension in the right-hand panel.

      2. Enter the file extension (e.g., .exe, .bat, .cmd).

      3. Click OK to apply.

  5. Repeat for Additional Extensions:

    • Repeat the process to deny other file extensions as needed.

IIS error pages not to display error information

...