Solved

MS .Net : create firewall rule to discard/filter off ~ character

Posted on 2015-01-03
2
309 Views
Last Modified: 2015-04-06
Q1:
How do we create a Windows Firewall to
discard or filter all web requests including a tilde "~" character. The most recommended prevention technique is to apply a filtering rule on the firewall for all ~ (tilde) and Unicode encoded equivalences sent in the URL path to the server.
If Windows fwall can't do it, can recommend a 3rd party freeware firewall & illustrate how to do it


Q2:
For Linux, can elaborate how to do it for iptables?
0
Comment
Question by:sunhux
2 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40528963
Firewalls don't operate at the application layer but at the transport layer in a binary transfer if you blocked the tilde character you would corrupt the transfer.  You need to do it in either IIS or in your  code
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']" 

Open in new window

C#
using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetWebConfiguration("Default Web Site");

         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");

         ConfigurationElementCollection denyUrlSequencesCollection = requestFilteringSection.GetCollection("denyUrlSequences");

         ConfigurationElement addElement = denyUrlSequencesCollection.CreateElement("add");
         addElement["sequence"] = @"..";
         denyUrlSequencesCollection.Add(addElement);

         ConfigurationElement addElement1 = denyUrlSequencesCollection.CreateElement("add");
         addElement1["sequence"] = @":";
         denyUrlSequencesCollection.Add(addElement1);

         ConfigurationElement addElement2 = denyUrlSequencesCollection.CreateElement("add");
         addElement2["sequence"] = @"\";
         denyUrlSequencesCollection.Add(addElement2);

         serverManager.CommitChanges();
      }
   }
}

Open in new window

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample

Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")
      Dim denyUrlSequencesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("denyUrlSequences")

      Dim addElement As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
      addElement("sequence") = ".."
      denyUrlSequencesCollection.Add(addElement)

      Dim addElement1 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
      addElement1("sequence") = ":"
      denyUrlSequencesCollection.Add(addElement1)

      Dim addElement2 As ConfigurationElement = denyUrlSequencesCollection.CreateElement("add")
      addElement2("sequence") = "\"
      denyUrlSequencesCollection.Add(addElement2)

      serverManager.CommitChanges()
   End Sub

End Module

Open in new window

JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection;

var addElement = denyUrlSequencesCollection.CreateNewElement("add");
addElement.Properties.Item("sequence").Value = "..";
denyUrlSequencesCollection.AddElement(addElement);

var addElement1 = denyUrlSequencesCollection.CreateNewElement("add");
addElement1.Properties.Item("sequence").Value = ":";
denyUrlSequencesCollection.AddElement(addElement1);

var addElement2 = denyUrlSequencesCollection.CreateNewElement("add");
addElement2.Properties.Item("sequence").Value = "\\";
denyUrlSequencesCollection.AddElement(addElement2);

adminManager.CommitChanges();

Open in new window

VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set denyUrlSequencesCollection = requestFilteringSection.ChildElements.Item("denyUrlSequences").Collection

Set addElement = denyUrlSequencesCollection.CreateNewElement("add")
addElement.Properties.Item("sequence").Value = ".."
denyUrlSequencesCollection.AddElement(addElement)

Set addElement1 = denyUrlSequencesCollection.CreateNewElement("add")
addElement1.Properties.Item("sequence").Value = ":"
denyUrlSequencesCollection.AddElement(addElement1)

Set addElement2 = denyUrlSequencesCollection.CreateNewElement("add")
addElement2.Properties.Item("sequence").Value = "\"
denyUrlSequencesCollection.AddElement(addElement2)

adminManager.CommitChanges()

Open in new window

http://bit.ly/1EYSbSg
0
 

Author Comment

by:sunhux
ID: 40535383
Thanks.

I don't have access to the code as this is Trendmicro's Deep Security / Securecloud web service.

So with only access to the binaries of Deep Security/Securecloud, which of the solution you've provided will help?
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now