Does Esri maintain a list of file name extensions that must be allowed in order for GIS services (e.g. map, feature, geocode, etc.) to function properly? My organization now requires certain IIS hardening settings to improve security. One requirement is to disable "allow unlisted file name extensions" under request filtering in IIS manager. Unfortunately that breaks all our GIS services. My hope is that adding additional file name extensions to what is already allowed will fix the problem. Any advice?
Portal for ArcGIS and its underlying processes use many custom file extensions. Access to these file extensions is limited when the 'Allow unlisted file name extensions', 'Allow unlisted verbs', and 'Allow high-bit characters' options are disabled in the Request Filtering section of IIS Manager. Group policy dictates the enabled/disabled settings in IIS Manager, and they may be disabled for security purposes.
I believe, unfortunately, disallowing unlisted file name extensions in IIS could be discouraged for now.
You may check ArcGIS Enterprise Implementation Guidance for best practices (security) when deploying ArcGIS Enterprise.
I dislike this kB. It will be ignored by those who require web server hardening. A better resource would include a list of custom extensions that can be allowed rather than a statement saying essentially "don't harden your web server".
Does Esri have any resource that would list out the extensions (* some files might not have any extension at all) that would ensure ArcGIS Enterprise works through the IIS hardening?
Yes, I provided it to OP via PM. Its in a raw format and not yet ready for public. It is current as to 10.8.1.
It was compiled of this list:
plus the output of this command:
Then filtered for extensions that should not be allowed (eg: executables, config files, etc.)
@RandallWilliams thank you for the list of file name extensions and all your help so far. Unfortunately adding your list of allowed file types did not resolve my problem where GIS services (e.g. map, feature, etc.) are not working with "allow unlisted file name extensions" disabled in IIS.
I think it's because many of the requests to a GIS service don't really have a file extension. Here is an example:
Does anyone know if "extensionless" requests like that are blocked when unlisted file types are disallowed? If so, is there a solution?
I've seen suggestions online to include a wildcard ("*") as one of the allowed file types, but to me that would defeat the purpose of disabling the setting in the first place.
Hi @BonnieCecil .
@RandallWilliams sent me a list of file extension exceptions that are need if you want to run Portal with "allow unlisted file extensions" disabled. That was a bit overkill for my purpose. I'm just running stand-alone ArcGIS Server. All I really needed was to add "." for the extensionless requests and ".css" so the REST service directly displayed correctly. Later I had to add a few more exceptions due to outputs from print services (e.g. ".pdf", ".png", ".svg", ".jpg", etc). That was about it for me. I won't swear that is comprehensive, but it's been working in production for us for a few months.