locked
How to override parent level setting in IIS7 RRS feed

  • Question

  • User-1749188940 posted

    Hi,

    I am apparently traped by the new request filtering feature in IIS7. I red about the tech doc about request filtering and tried to turn off the file extension filtering in my public listed folder by adding:

    <requestFiltering>
      <
    fileExtensions allowUnlisted="true" >
        <
    add fileExtension=".asp" allowed="false"/>
      </
    fileExtensions>
    </
    requestFiltering>

    But my IIS returned me HTTP Error 500.19 on the <requestFiltering> line: "This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault='Deny'), or set explicitly by a location tag with overrideMode='Deny' or the legacy allowOverride='false'."

    The public folder is a virtual directory located under Default Web Site. But I have lost in how to override this parrent setting.

    Could anyone point me to the right direction? Thanks

    Saturday, September 2, 2006 11:19 PM

Answers

  • User511787461 posted

    The following command will unlock this section globally.

    %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/requestFiltering

    If you only want unlock it for a particular site/app, you can do

    %windir%\system32\inetsrv\appcmd.exe unlock config "SiteName/app/url" -section:system.webServer/security/requestFiltering

    - Anil

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, September 5, 2006 4:00 PM

All replies

  • User511787461 posted

    The following command will unlock this section globally.

    %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/requestFiltering

    If you only want unlock it for a particular site/app, you can do

    %windir%\system32\inetsrv\appcmd.exe unlock config "SiteName/app/url" -section:system.webServer/security/requestFiltering

    - Anil

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, September 5, 2006 4:00 PM
  • User-1749188940 posted

    Heaps of thanks Anil. BTW, do you know anywhere that I can find more info about this kind of advanced operation?

    Regards,
    Leon

    Tuesday, September 5, 2006 9:51 PM
  • User511787461 posted

    You can find more information about IIS7 admin interfaces at

    http://www.iis.net/default.aspx?tabid=7&subtabid=73

    and about appcmd specifically at

    http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=954&p=1

     

    Thursday, September 7, 2006 4:15 AM
  • User-1749188940 posted

    Thanks for the links Anilr.

    However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory.

    Now I'm pretty sure that I have the StaticFile handler with the request path * enabled for the directory, but I do not see the MIME Types feature in the admin interface (I've installed all components of IIS7).

    Do you know where I should configure the MIME Types?

    Thanks

    Saturday, September 9, 2006 8:24 AM
  • User-2099250694 posted

    However, my site still doesn't recognise unknown file format. This time, the error message becomes 404.3, which means either I'm missing a handler map or a MIME map for that directory. 

    Use this command to open up all MIME types (and you can easily modify the command to suit your needs):

    %windir%\system32\inetsrv\appcmd.exe set config /section:staticContent /+[fileExtension='.*',mimeType='application/octet-stream']

    Tuesday, October 17, 2006 1:51 PM
  • User511787461 posted
    You probably never want to do what aarnott suggested (except for troubleshooting maybe) - you would be bypassing one of the security features of IIS to protect against canonicalization bugs - it would make more sense to add particular extensions you want to serve as static files to the list.
    Wednesday, October 18, 2006 12:36 PM
  • User-665461097 posted

    In response to anilr's last comment here; can someone provide a simple example of how a canonicalization bug can be exploited due to a Mime Map allowing access to .* file types?

    I can understand the inherent file serving vulnerability of serving all unknown file extensions as application/octet-stream, but I don't see the connection of canonicalization bugs to this Mime Map.

    Thank you

    Thursday, November 29, 2007 5:32 PM
  • User511787461 posted

    There are many different canonicalization that file-systems in windows (and specifically NTFS) can do to the file-name being opened - so both "c:\foo.asp::$DATA" and "c:\foo.asp." ends up going to c:\foo.asp - so, if you have serving of any extension allowed, your asp script could get served as a static file to the client (including any database names in it etc) - of course, IIS blocks the examples I listed even if you have serving of any extension allowed - but, there is possiblity of other canonicalization traps and it is always nice to have defense in depth.

    Thursday, November 29, 2007 7:27 PM
  • User-339492214 posted

    Hi Anil 

    When I run the first command I will get following message:

    "Can not read configuration file due to insufficient permissions." How can I solve the issue?

    Thanks 

     

    Wednesday, November 26, 2008 1:26 AM
  • User374784972 posted

    Anil - When I run the command on a 64 bit Vista system I get an error message that "Cannot read the configuration file due to insufficient permission".  I am already an administrator.  Do I need something special?  I assume we run the command from the command prompt.

    Tuesday, December 9, 2008 6:07 PM
  • User511787461 posted

    Did you run command prompt with "run as administrator"?  For more info, search for UAC.

    Tuesday, December 9, 2008 7:58 PM
  • User-1892567534 posted
    hello would you please get an example !! is app the name that is in apppool ? is system.webserver is the hostname og the server is thre a way to get the same thing by GUI Thanks Bernard
    Friday, August 20, 2010 1:01 PM
  • User727163943 posted
    Hi everyone! I have the same problem, I have tried to do what Anil said but I did not work!! please, help!!!
    Monday, April 4, 2011 4:40 PM
  • User1043721159 posted
    Thanks anilr.I use your method to fix this problem!
    Tuesday, April 5, 2011 3:20 AM
  • User-608912741 posted

    I guess asp extension is turned off. Go to Control Panel -> Turn Windows feature on or off.

     Web Servers(IIS) -> World Wide Web Services -> Application Development Features -> Check ASP check box

    Friday, June 3, 2011 2:54 PM
  • User-1235238959 posted
    HI, I am having a similar issue, but with .MP4 and .M4v files, for some reason my CMS is blocking those type of files to be served on iOS devices, how can I overwrite this and make then work on this site? That will work using the following command? %windir%\system32\inetsrv\appcmd.exe set config /section:staticContent /+[fileExtension='.mp4, .m4v',mimeType='video/mp4'] I need to make those files work, i had the mine types added but are not working in this site but are on the other site in the same server. I really appreciate the help that you can give me about this issue.
    Friday, February 3, 2012 1:25 PM
  • User1232889997 posted
    Hello, I have a application in Default Website were I need to change AnonymousAuthentication - Disabled and windowsAuthentication - Enabled I am using below command Set-WebConfigurationProperty -filter '/system.WebServer/security/authentication/AnonymousAuthentication' ` -name enabled -value false -PSPath "IIS:\Sites\Default Web Site\QNXT_PWD\default.asp" But I am getting below Error """Set-WebConfigurationProperty : This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either b y default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".""" Please help me friends.....
    Tuesday, November 6, 2012 4:30 AM
  • User-1122936508 posted

    Please start a new thread for questions not related to the original post.

    Cheers
    Ken

    Tuesday, November 6, 2012 8:46 AM