IIS Request Filtering Whitelist and SharePoint 2013

In IT security, whitelist and blacklist is always an everlasting debate. It’s like the causality “which came first, the chicken or the egg?” Folks say that whitelist is more controllable than blacklist. When you do whitelist, you allow things and believe those things to be safe to you. Folks, on the other hand, protect by pointing out that blacklist is more effective. With blacklist, you are to identify what need to be avoided to protect your system.

You might want to read about Intranet Collaboration Security in SharePoint Part 1Part 2Part 3

The client I’m currently working for picks whitelist and has asked me to make a list of allowed file extensions through IIS Request Filtering in SharePoint 2013 environment. This article is going to clarify a few things I have experienced during the implementation of whitelist for file extension in SharePoint.

IIS Request Filtering is a built-in feature that contains several options to secure web application against common web attack techniques, such as SQL Injection, XSS. File extension filtering is one of the options allowing you to control what file extensions you allow or deny when IIS receives request. You can find <fileExtension> element in global IIS configuration applicationHost.config (C:WindowsSystem32inetsrvconfig). The blacklist is set by default with <allowUnlisted = “true”>. This basically means all file extensions listed in the element are not allowed. If you want to make a whitelist, you need to change to false then provide the list of file extensions to be allowed. Let’s start an example in SharePoint scenario.

When you open a SharePoint landing page, your browser sends to IIS a request to retrieve some SharePoint built-in files. These files include normal CSS file (corev15.css) to render the page. Let’s say if CSS file extension is not in the whitelist in IIS Request Filtering. The landing page can’t fully render. This means all requests to retrieve SharePoint CSS file are denied.

Another example is trying to download an uploaded file in SharePoint library. If its extension is not in the whitelist, you will receive an HTTP 404.7 error because IIS blocks the request to the file.

In SharePoint, we have a feature named Block File Type that can be configured in Central Administration. It is quite different from IIS Request Filtering but people sometimes are a bit confused. This feature provides you the ability to restrict file extension from whether being uploaded or download in SharePoint. If you try to upload a file whose extension is blocked, you will encounter SharePoint error, even you use attachment method. See the result below after I tried attaching SharePoint_Setup.exe to a list item.

Similarly, you can’t download a file that is blocked.

When uploading to SharePoint, no matter what file extensions being added to the whitelist in IIS, SharePoint only checks file extension in the Block File Type list then allow or block accordingly. The similarity between IIS Request Filtering and Block File Type is the GET method. If an extension is both added to IIS whitelist and SharePoint Block File Type, the final result will come out from SharePoint. IIS checks the whitelist prior to SharePoint. The flow below would explain a little more.

 Gotchas and Consideration

The blacklist is set out by default. It, however, doesn’t matter if your SharePoint web application doesn’t inherit request filtering settings. Once the request filtering is applied to specific web application (Configure Editor, select system.webServer/security/requestFiltering section then click Revert to Parent), there are some gotchas and considerations for whitelist.

  • Add *.ascx as it is to call SharePoint controls. Blocking *.ascx causes unloading query on user in People Picker.

You may ask as to why *.ascx is in the blacklist by default but your SharePoint is still working. The reason is the default global setting of request filtering is not applied to your web application until you configure to inherit.

  • If you use whitelist, make sure you fully test as many files as possible that make your SharePoint work.
  • If you have theme packaged by Design Manager, it may include *.themedcss and *.themedpng.
  • Back up applicationHost.config and web.config file every time before making changes on them. If you don’t, reverting back to original state wouldn’t be possible even you run Farm Configuration Wizard.
  • If your SharePoint farm has multiple web front-end machines, you must apply the setting on every machine.

You might need to read determine your web front-end server article.

  • If you happen to see HTTP 404 (namely 404.7) error when opening root site (http://abc.com/) or site contain explicit URL after making a whitelist, chances are IIS blocks your request. Check if <add fileExtension = “.” allowed =”true”> in the list.
  • Make sure there is no duplicate made in the IIS whitelist and SharePoint Block File Type.

Below is the list that would make SharePoint work. Note that there are archiving types (RAR, ZIP) or video types in accordance with the requirement. They may not be applicable to your environment.

  • aspx (Web page extension)
  • asp (Web page extension)
  • html (Web page extension)
  • htm (Web page extension)
  • . (To handle root site or explicit URL (e.g. https://contoso.com/sites/portal)
  • js (JavaScript files)
  • axd (ScriptResources.axd is to reduce the size of script files)
  • ascx (SharePoint Control file)
  • ashx (Get localization resources from SharePoint as JavaScript object. Ribbon can’t load if this extension is denied)
  • css (CSS extension)
  • json (JavaScript Object Notation)
  • svc ( SharePoint WCF Web Service extension)
  • dll (DLL extension)
  • asmx (SharePoint Web Service extension)
  • webpart (SharePoint Web Part extension)
  • cab (SharePoint package cabinet extension)
  • xml (XML extension)
  • csv (CSV file extension)
  • txt (Text file extension)
  • gif (Photo extension)
  • png (Photo extension)
  • jpg (Photo extension)
  • jpeg (Photo extension)
  • bmp (Photo extension)
  • spcolor (SharePoint color palette file extension)
  • spfont (SharePoint font file extension)
  • preview (Master page preview file extension)
  • xsd (Used to validate XML)
  • master (SharePoint Master Page extension)
  • eot (SharePoint Font File Type extension)
  • woff (SharePoint Font File Type extension)
  • odttf (SharePoint Font File Type extension)
  • svg (XML-based vector image extension)
  • htc (HTML file with some XML elements defined inside)
  • xap (Silverlight extension)
  • sql (SQL Server Transaction-Script extension)
  • xsn (InfoPath)
  • doc (MS Office Word extension)
  • docx (MS Office Word extension)
  • xlsx (MS Office Excel extension)
  • xls (MS Office Excel extension)
  • vsd (MS Office Visio extension)
  • vdx (MS Office Visio extension)
  • ppt (MS Office PowerPoint extension)
  • pptx (MS Office PowerPoint extension)
  • mpp (Microsoft Office Project extension)
  • mp4 (Video extension)
  • wmv (Video extension)
  • flv (Video extension)
  • avi (Video extension)
  • themedcss (CSS extension in Design Manager package)
  • themedpng (Photo extension in Design Manager package)

If you know any missing file extensions, please feel free to comment or contact me at thuan@outlook.com. Your contribution would be very much appreciated.


  1. SP Peter
    November 14, 2014 — 9:18 pm

    Great write-up Thuan. We have faced many issues with request Filtering due to highly security policy.

Leave a Reply

© 2018 The Soldier of Fortune.