An update is available that provides improved features for the Request Filtering module in IIS 7.0

In Internet Information Services (IIS) 7.0, the Request Filtering module provides more capabilities to help secure IIS. This module inspects known malicious patterns in the requests. The module prevents such requests from being serviced if the module determines that the requests may be harmful. For example, this module enables you to filter requests that are double escaped, to filter requests that use certain HTTP verbs, or to block requests to specific folders.

An update package is now available to provide improved Request Filtering features. After you apply this update package, you can use the following features:

• Creating rules to disallow string patterns in parts of requests
  
  This new feature enables you to create a rule list. You can specify rules to reject requests based on patterns that are matched against certain parts of an HTTP request. The main configuration for this feature is the filteringRules section under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file. If a request is rejected because of this rule, HTTP status 404.19 is logged in the IIS log.
• Creating a safe list for URLs or query strings
  
  This new feature lets you specify safe URLs or query strings that can bypass all the defined deny rules. For example, you can always allow the URL "/my.login.page.asp," even though this URL may trigger a defined deny rule. The main configuration for this feature is the alwaysAllowedUrls attribute and the alwaysAllowedQueryStrings attribute. These attributes are located under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file.
• Creating a deny list of query strings
  
  The most common SQL injection attacks are performed by manipulating query strings. This new feature enables you to filter malicious requests by inspecting the query strings.
  
  To deny a list of URL sequences for all requests, create a denyQueryStringSequences section in the Applicationhost.config file or in the Web.config file, and then add the list of strings that you want to disallow in the URLs of your requests. If a request is rejected because of this rule, HTTP status 404.18 is logged in the IIS log.
• Checking for both escaped and unescaped query strings
  
  This new feature enables you to scan for both escaped query strings and unescaped query strings by using the unescapeQueryString attribute under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file. If a request is rejected because of this rule, HTTP status 404.18 is logged in the IIS log.

Update information

The following files are available for download from the Microsoft Download Center:

Download the 32-bit package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=AC57A12F-0D4F-4889-A96B-E88AEA960C6C)

Download the 64-bit package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=269ABBBC-5D80-45D8-9196-9684FC149841)

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

You must have Windows Vista Service Pack 1 or Windows Server 2008 installed to apply this update.

Restart requirement

You must restart the computer after you apply this update.

Update replacement information

This update does not replace any other updates.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

This update updates all the files that are included in the component if any of the files in the component is updated. The files that are actually changed in this update are listed in the following tables.

IIS 7.0, x86-based versions

IIS 7.0, x64-based versions

IIS 7.0, Itanium-based versions

The following tables list all the files that are included in this update.

IIS 7.0, x86-based versions

IIS 7.0, x64-based versions

IIS 7.0, Itanium-based versions

An update is available that provides improved features for the Request Filtering module in IIS 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to use these enhanced features, visit the following Microsoft Web site:For more information about how to use request filtering, visit the following Microsoft Web site:For more information about how to use the UrlScan tool, visit the following Microsoft Web site:For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: