topic Re: IIS Allow Unlisted File Name Extensions in Esri Software Security & Privacy Questions

IIS Allow Unlisted File Name Extensions

MattFancher1 — Mon, 03 May 2021 17:40:54 GMT

Does Esri maintain a list of file name extensions that must be allowed in order for GIS services (e.g. map, feature, geocode, etc.) to function properly? My organization now requires certain IIS hardening settings to improve security. One requirement is to disable "allow unlisted file name extensions" under request filtering in IIS manager. Unfortunately that breaks all our GIS services. My hope is that adding additional file name extensions to what is already allowed will fix the problem. Any advice?

Re: IIS Allow Unlisted File Name Extensions

JayantaPoddar — Mon, 03 May 2021 19:37:12 GMT

According to Problem: Unable to connect to basic functionality in Portal for ArcGIS

Portal for ArcGIS and its underlying processes use many custom file extensions. Access to these file extensions is limited when the 'Allow unlisted file name extensions', 'Allow unlisted verbs', and 'Allow high-bit characters' options are disabled in the Request Filtering section of IIS Manager. Group policy dictates the enabled/disabled settings in IIS Manager, and they may be disabled for security purposes.

I believe, unfortunately, disallowing unlisted file name extensions in IIS could be discouraged for now.

You may check ArcGIS Enterprise Implementation Guidance for best practices (security) when deploying ArcGIS Enterprise.

Re: IIS Allow Unlisted File Name Extensions

RandallWilliams — Mon, 03 May 2021 19:29:17 GMT

I dislike this kB. It will be ignored by those who require web server hardening. A better resource would include a list of custom extensions that can be allowed rather than a statement saying essentially "don't harden your web server".

Re: IIS Allow Unlisted File Name Extensions

JayantaPoddar — Mon, 03 May 2021 19:39:20 GMT

That's true.

Does Esri have any resource that would list out the extensions (* some files might not have any extension at all) that would ensure ArcGIS Enterprise works through the IIS hardening?

Re: IIS Allow Unlisted File Name Extensions

RandallWilliams — Mon, 03 May 2021 19:48:43 GMT

Yes, I provided it to OP via PM. Its in a raw format and not yet ready for public. It is current as to 10.8.1.

It was compiled of this list:

https://enterprise.arcgis.com/en/portal/latest/use/supported-items.htm

plus the output of this command:

https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-use-windows-powershell-to-pick-out-the-unique-file-extensions-used-in-a-collection-of-files/

Then filtered for extensions that should not be allowed (eg: executables, config files, etc.)

Re: IIS Allow Unlisted File Name Extensions

MattFancher1 — Tue, 04 May 2021 12:42:15 GMT

@RandallWilliams thank you for the list of file name extensions and all your help so far. Unfortunately adding your list of allowed file types did not resolve my problem where GIS services (e.g. map, feature, etc.) are not working with "allow unlisted file name extensions" disabled in IIS.

I think it's because many of the requests to a GIS service don't really have a file extension. Here is an example:

https://gisweb.columbus.gov/arctest/rest/info?f=json

Does anyone know if "extensionless" requests like that are blocked when unlisted file types are disallowed? If so, is there a solution?

I've seen suggestions online to include a wildcard ("*") as one of the allowed file types, but to me that would defeat the purpose of disabling the setting in the first place.

Re: IIS Allow Unlisted File Name Extensions

BonnieCecil — Mon, 04 Oct 2021 15:38:24 GMT

@Mattwas this ever resolved? I'm interested to learn if you were ever successful with this.

Re: IIS Allow Unlisted File Name Extensions

MattFancher1 — Tue, 05 Oct 2021 15:06:18 GMT

Hi @BonnieCecil .

@RandallWilliams sent me a list of file extension exceptions that are need if you want to run Portal with "allow unlisted file extensions" disabled. That was a bit overkill for my purpose. I'm just running stand-alone ArcGIS Server. All I really needed was to add "." for the extensionless requests and ".css" so the REST service directly displayed correctly. Later I had to add a few more exceptions due to outputs from print services (e.g. ".pdf", ".png", ".svg", ".jpg", etc). That was about it for me. I won't swear that is comprehensive, but it's been working in production for us for a few months.

Re: IIS Allow Unlisted File Name Extensions

BonnieCecil — Wed, 06 Oct 2021 00:25:00 GMT

Thank you - that information is helpful.