What can I do here?
Use this window to configure the web server's level of protection against Command injection.
Getting Here - Object Explorer > New > Host > Servers > Select Web Server > Web Server > Protections > Select Command Injection > Advanced |
Attack Description
Command injection attacks allow a remote attacker to execute operating system commands disguised as a URL or form input to a Web server. A successful system command execution can provide a remote attacker with administrative access to a Web server. This could result in damage such as defacement of the Web site, data theft, or data loss.
Web Security Protection
Web Security looks for the presence of system commands in Web forms and URLs sent to a protected server. The protection looks for several categories of commands: distinct system commands, non-distinct system commands, and special system characters (e.g.,;[ ]<>&\t). Strings that are unique to system commands, not likely to appear in common language, and often used in command injection are considered distinct (e.g., "chown", "regsvr32", etc.), while strings that may appear in common language are considered non-distinct (e.g., "format", "convert", etc.).
Note - The security level can be set in this window only when the Protection Scope is set to Apply to all HTTP traffic.