Uploading Files to an IIS 7.5 Web Server

When attempting to upload a file to an IIS web server using the HTTP PUT command, the transfer fails with a 404 error. The server administrator had used the IIS Lockdown Tool to secure the server.

More Information

The PUT command is disabled by default because it can present a security risk. It is a command that has to be specifically enabled by the server administrator. If the IIS Lockdown Tool has been used to secure the server, this will prevent the PUT command from being used, returning a 404 error (forbidden).

The IIS Lockdown Tool sets an access control entry to Deny for all users (Everyone) on the file c:\windows\system32\inetsrv\httpext.dll. You can check the permissions for this file using Windows Explorer, right-clicking on the file and select Properties, then Security and click on Advanced. If there is a “Deny” setting for Everyone, users will be unable to upload files using the PUT command. To enable uploads, you must clear that setting and give all users read and execute access to the file.

The URLScan utility can be used to control which verbs (commands) are allowed. If the PUT command is not allowed, then you’ll get a 404 error when you try to upload a file. You can enable the PUT command by opening the c:\windows\system32\inetsrv\urlscan\urlscan.ini file in an editor. If the UseAllowVerbs variable is set to 0 then make sure that the PUT command is not in the DenyVerbs section. If UseAllowVerbs is set to 1, make sure the PUT command is in the AllowVerbs section.

Note that you must restart IIS for these changes to take effect.

See Also

Microsoft TechNet: IIS Lockdown Tool
Microsoft TechNet: URLScan Security Tool


Share This
Facebooktwittergoogle_plus