Is There a List of File Extensions that should be Set to Allow in the WFR Web Verifier applicationHost.config file? (Doc ID 2367605.1)

Last updated on NOVEMBER 28, 2023

Applies to:

Goal

The newly published Center for Internet Security (CIS) Microsoft IIS 8 Benchmark [v1.5.0 - 12-30-2016], requires stricter security standards to be implemented for Web servers.  Specifically, to block unwanted access to the server via the web application.  This will need to be configured in the application's web.config file.  To obtain this document, go to https://www.cisecurity.org select the 'CIS Benchmarks' under the Quick Links, and register to download the appropriate Benchmark standard.

Section 4.7 (Ensure Unlisted File Extensions are not allowed) states:

"The FileExtensions Request filter allows administrators to define specific extensions their web server(s) will allow and disallow.  The property allowUnlisted will cover all other file extensions not explicitly allowed or denied.  Often times, extensions such as .config, .bat, .exe, to name a few, should never be served.  The AllowExtensions and DenyExtensions options are the UrlScan equivalents.  It is recommended that all extensions be unallowed, (or denied) at the most global level possible, with only those necessary being allowed.

Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers.  When IIS rejects a request based on the file extension filter, the error code logged is 404.7."

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.