IIS Allow Unlisted File Name Extensions

3145
8
05-03-2021 10:40 AM
MattFancher1
New Contributor III

Does Esri maintain a list of file name extensions that must be allowed in order for GIS services (e.g. map, feature, geocode, etc.) to function properly? My organization now requires certain IIS hardening settings to improve security. One requirement is to disable "allow unlisted file name extensions" under request filtering in IIS manager. Unfortunately that breaks all our GIS services. My hope is that adding additional file name extensions to what is already allowed will fix the problem. Any advice? 

0 Kudos
8 Replies
JayantaPoddar
MVP Esteemed Contributor

According to Problem: Unable to connect to basic functionality in Portal for ArcGIS 

Portal for ArcGIS and its underlying processes use many custom file extensions. Access to these file extensions is limited when the 'Allow unlisted file name extensions', 'Allow unlisted verbs', and 'Allow high-bit characters' options are disabled in the Request Filtering section of IIS Manager. Group policy dictates the enabled/disabled settings in IIS Manager, and they may be disabled for security purposes.

I believe, unfortunately, disallowing unlisted file name extensions in IIS could be discouraged for now.

You may check ArcGIS Enterprise Implementation Guidance for best practices (security) when deploying ArcGIS Enterprise.



Think Location
0 Kudos
RandallWilliams
Esri Regular Contributor

I dislike this kB. It will be ignored by those who require web server hardening. A better resource would include a list of custom extensions that can be allowed rather than a statement saying essentially "don't harden your web server".

0 Kudos
JayantaPoddar
MVP Esteemed Contributor

That's true.

Does Esri have any resource that would list out the extensions (* some files might not have any extension at all) that would ensure ArcGIS Enterprise works through the IIS hardening?



Think Location
0 Kudos
RandallWilliams
Esri Regular Contributor

Yes, I provided it to OP via PM. Its in a raw format and not yet ready for public. It is current as to 10.8.1.

It was compiled of this list:

https://enterprise.arcgis.com/en/portal/latest/use/supported-items.htm

plus the output of this command:

https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-use-windows-powershell-to-pick-...

 

Then filtered for extensions that should not be allowed (eg: executables, config files, etc.)

 

MattFancher1
New Contributor III

@RandallWilliams thank you for the list of file name extensions and all your help so far. Unfortunately adding your list of allowed file types did not resolve my problem where GIS services (e.g. map, feature, etc.) are not working with "allow unlisted file name extensions" disabled in IIS.

I think it's because many of the requests to a GIS service don't really have a file extension. Here is an example:

https://gisweb.columbus.gov/arctest/rest/info?f=json

Does anyone know if "extensionless" requests like that are blocked when unlisted file types are disallowed? If so, is there a solution?

I've seen suggestions online to include a wildcard ("*") as one of the allowed file types, but to me that would defeat the purpose of disabling the setting in the first place.

0 Kudos
BonnieCecil
New Contributor

@Mattwas this ever resolved?  I'm interested to learn if you were ever successful with this.

0 Kudos
MattFancher1
New Contributor III

Hi @BonnieCecil .

@RandallWilliams sent me a list of file extension exceptions that are need if you want to run Portal with "allow unlisted file extensions" disabled. That was a bit overkill for my purpose.  I'm just running stand-alone ArcGIS Server. All I really needed was to add "." for the extensionless requests and ".css" so the REST service directly displayed correctly. Later I had to add a few more exceptions due to outputs from print services (e.g. ".pdf", ".png", ".svg", ".jpg", etc). That was about it for me. I won't swear that is comprehensive, but it's been working in production for us for a few months.

BonnieCecil
New Contributor

Thank you - that information is helpful.

0 Kudos