4.7 Ensure Unlisted File Extensions are not allowed - Applications


The FileExtensions Request Filter allows administrators to define specific extensions their web server(s) will allow and disallow. The property allowUnlisted will cover all other file extensions not explicitly allowed or denied. Often times, extensions such as .config, .bat, .exe, to name a few, should never be served. The AllowExtensions and DenyExtensions options are the UrlScan equivalents.

It is recommended that all extensions be disallowed at the most global level possible, with only those necessary being allowed.


Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers.


If not set properly, file extensions that are needed will be rejected.


The allowUnlisted Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure at the server level using the IIS Manager GUI:

Open Internet Information Services (IIS) Manager

In the Connections pane, select the server

In the Home pane, double-click Request Filtering

Click Edit Feature Settings... in the Actions pane

Under the General section, uncheck Allow unlisted file name extensions

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false


Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/fileExtensions' -name 'allowUnlisted' -value 'False'

Default Value:

The default Request Filtering configuration allows all unlisted file extensions to be requested.

See Also


Item Details


References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: c4544dc4522a19287345f347efda6ca50f249ba2e913a20e170121adae5350bd