Save 10% on our Pro WordPress plugins with discount code: 10PERCENT
Web Dev + WordPress + Security

5G Blacklist for Microsoft IIS

[ 5G (MS IIS) ] By design the 5G Blacklist works on Apache servers, but thanks to Scott Stawarz, here is a version for Microsoft IIS. Disclaimer: I do not use any Microsoft server stuff, so make sure to properly test everything before running this code on a live/production site. Also, if you scroll down to the end of this article, you will find some useful bonus snippets.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
                <clear />
                <rule name="Block Bad Query String" stopProcessing="true">
                    <match url=".*" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{QUERY_STRING}" pattern="(environ|localhost|mosconfig|scanner)" />
                        <add input="{QUERY_STRING}" pattern="(menu|mod|path|tag)\=\.?/?" />
                        <add input="{QUERY_STRING}" pattern="boot\.ini" />
                        <add input="{QUERY_STRING}" pattern="echo.*kae" />
                        <add input="{QUERY_STRING}" pattern="etc/passwd" />
                        <add input="{QUERY_STRING}" pattern="\=\\%27$" />
                        <add input="{QUERY_STRING}" pattern="\=\\\'$" />
                        <add input="{QUERY_STRING}" pattern="\.\./" />
                        <add input="{QUERY_STRING}" pattern="\:" />
                        <add input="{QUERY_STRING}" pattern="\[" />
                        <add input="{QUERY_STRING}" pattern="\]" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                </rule>
                <rule name="Block Bad User Agents" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTP_USER_AGENT}" pattern=" ^$" />
                        <add input="{HTTP_USER_AGENT}" pattern="(casper|cmsworldmap|diavol|dotbot)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(flicky|ia_archiver|kmccrew)" />
                        <add input="{HTTP_USER_AGENT}" pattern="(libwww|planetwork|pycurl|skygrid)" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
                <rule name="Block Bad Request Strings" stopProcessing="true">
                    <match url=".*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{URL}" pattern="(https?|ftp|php)\://" />
                        <add input="{URL}" pattern="/(cgi|https?|ima|ucp)/" />
                        <add input="{URL}" pattern="(\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$" />
                        <add input="{URL}" pattern="(\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)" />
                        <add input="{URL}" pattern="\.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$" />
                        <add input="{URL}" pattern="/(contac|fpw|install|pingserver|register)\.php" />
                        <add input="{URL}" pattern="(base64|crossdomain|localhost|wwwroot)" />
                        <add input="{URL}" pattern="\.well\-known/host\-meta" />
                        <add input="{URL}" pattern="/function\.array\-rand" />
                        <add input="{URL}" pattern="\)\;\$\(this\)\.html\(" />
                        <add input="{URL}" pattern="proc/self/environ" />
                        <add input="{URL}" pattern="/ref\.outcontrol" />
                        <add input="{URL}" pattern="indonesia\.htm" />
                        <add input="{URL}" pattern="\{\$itemURL\}" />
                        <add input="{URL}" pattern="function\(\)" />
                        <add input="{URL}" pattern="labels\.rdf" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Just copy/paste into your web.config file and you should be good to go. I really don’t know much about IIS, but this code looks logical to me and should be entirely plug-n-play, so no editing required. If you discover bugs or have ways of improving the code, please share via comment or directly.

Tested on IIS version 7.5.

Bonus

In his IIS version of 5G, Scott included a couple of bonus rules, one for protecting against hotlinking, and another for WordPress permalinks:

                <rule name="Prevent Image HotLinking">
                    <match url=".*\.(gif|jpg|png)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                        <add input="{HTTP_REFERER}" pattern="^http(s)?://(.*\.)?your-domain-name-goes-here\.com/.*$" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="/some-random-directory/some-random-file.html" />
                </rule>
                <rule name="wordpress" patternSyntax="Wildcard">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php" />
                </rule>

This code is pre-indented for easy copy/paste into the 5G/IIS code.

Huge thanks to Scott for sharing his work with us!

Credit link: Screenflex Room Dividers

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Digging Into WordPress: Take your WordPress skills to the next level.

4 responses to “5G Blacklist for Microsoft IIS”

  1. This is really interesting. Thanks :)

    Some of the rules (like “etc/passwd” and “proc/self/environ”) are Linux-specific and aren’t really needed in a Windows environment.

  2. Also be careful with blocking libwww and it blocks *all* libwww-based programs.

  3. You’re welcome. You did all the difficult work. I just had to translate it.

    I’m sure the web.config file can be improved if there are IIS experts.

    Also, one note in my testing, I found the blacklist can be aggressive. If you do add this to your IIS configuration or even if you add the apache version, make sure to test your web-apps. Some web-apps and ajax applications may break due to the blacklist. For normal everyday stuff, I’m sure it works fine.

    Keep up the great work Jeff!

  4. Dallas Web Design 2011/12/07 11:26 am

    Good information. Of course I only have one client that still runs IIS.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Thoughts
Working on a new book :)
LinkedIn decided to replace my highly rated video course on WP security. For a limited time the course is still available to *logged-in* users via direct URL.
I enjoy listening to original Star Trek and NG episodes while working online. After a while it feels like I’m working on the ship as part of the crew, going on adventures.
New version (2.6) of my shapeSpace starter theme now available! Always free & open source for everyone :)
Finished updating all of my books! As always, book owners can download the latest versions for FREE :)
W3C.org has a very thorough list of accessibility tools.
The more you wake up, the more you realize you are still asleep.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.