How to disable unwanted HTTP methods

By default, the insecure OPTIONS and TRACE methods are enabled for IIS7.0. We recommend that you disable these methods.

The following environments are windows server 2008 and IIS7.0.

Method (1): web. config

Add the following code under the <configuration> node:

<system.webServer>    <security>      <requestFiltering>        <verbs allowUnlisted="false">          <add verb="GET" allowed="true"/>          <add verb="POST" allowed="true"/>          <add verb="HEAD" allowed="true"/>        </verbs>      </requestFiltering>    </security></system.webServer>

 

The preceding Code only allows the GET, POST, and HEAD methods.

AllowUnlisted = "false": reject unlisted predicates.

Method (2): IIS7.0 --> "Authorization rule"

Add "allow" and "deny" rules. Only one specific predicate can be entered.

Method (3): IIS7.0 --> applicationHost. config

File Path: C: \ Windows \ System32 \ inetsrv \ config \

• To configure how IIS handles unlisted predicates, use the following syntax:

  Appcmd set config/section: requestfiltering/verbs. allowunlisted: true | false

  For example, to reject unlisted predicates, type the following command at the command prompt and press Enter:

  Appcmd set config/section: requestfiltering/verbs. allowunlisted: false

• To configure the predicate to be filtered, use the following syntax:

  Appcmd set config/section: requestfiltering/+ verbs. [verb =' String ', Allowed = 'true | false']

  VariableVerb StringSpecifies the predicate that will apply this restriction.

  For example, to specify that GET is allowed, type the following command at the command prompt and press Enter:

  Appcmd set config/section: requestfiltering/+ verbs. [verb = 'get', allowed = 'true']

References:

Http://technet.microsoft.com/zh-cn/library/86bb183f-a016-40ca-b9c3-bbb2f5c8a4b5.aspx

Http://www.iis.net/learn/manage/configuring-security/use-request-filtering

Http://technet.microsoft.com/zh-cn/library/hh831621