We are currently working on strengthening our SharePoint server. STIG V-76825 IISW-SI-000229 states that "dual-coded URL requests must be prohibited by any IIS 8.5 Web site". Basically, edit the
Filtering requests feature settings in IIS and unchecking the
Allow a double leak check box.
Will this limit SharePoint operations, given the
source parameter is escaped and used in many operations? Or things like document names?
I have done some tests, but I do not have the means to test all possible SharePoint URLs, and I have not yet found a definitive answer by searching the Internet. If we have to leave it checked, I must have good documentation to explain why.