Search This Blog

Wednesday, June 08, 2016

Powershell: IIS add request filtering (CFIDE)

Recently had to add some requestfiltering deny rules to a  number of servers. This was because of a detected vunerabiltiy with Coldfusion and its admin portal.

So to achieve this quickly and consistently I developed the following powershell script.

It adds a deny rule at the server level and then an removes the rule for the CF administration portal site.

The first two lines ensure that the web administration tools are imported in all versions of powershell.

I like my config to be in the central applicationhost.config file, which runs less risk of developers overwriting the config in a web.config file. The line

-pspath 'MACHINE/WEBROOT/APPHOST'

ensures the config is saved in the applicationhost.config file.

–location "CFAdminPortal”

This line ensures that the config is applied to the site called CFAdminPortal

Add-PSSnapin WebAdministration
Import-Module WebAdministration
 
#Add requestfiltering
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering/denyUrlSequences" -name "." -value @{sequence='/CFIDE'}
 
#Remove requestfiltering  for the CFIDE site
Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' –location "CFAdminPortal" -filter "system.webServer/security/requestFiltering/denyUrlSequences" -name "." -AtElement @{sequence='/CFIDE'}

Share/Bookmark

1 comment: