How to disable ASP script execute permissions on iis7

2 comments

On any website that includes folders with WRITE permissions (eg an uploads folder) it is ESSENTIAL to block scripts from running for that folder. Otherwise a hacker could potentially upload an ASP file or GCI script and then run it.

 

IIS 6 - Directory Properties

In IIS6 or below you would open the properties dialog for that folder in IIS manager then on the directory tab under application settings you would change the combo-box next to "Execute Permission" and set it to "none".

 

IIS 7 - Handler Mappings
In IIS 7 this is included in the Handler Mappings section.

1.Open IIS Manager and navigate to the folder you want to manage. This should be done for all folders that have WRITE permissions enabled (ie attachments folder and database folder for a MS Access database).

2.In Features View, on the folder double-click Handler Mappings. (This could also be done at server or site level)

3.In the Actions pane on the right, click Edit Feature Permissions.

4.In the Edit Feature Permissions dialog box, do the following:

Select Read to enable handlers that require read access or clear Read to disable handlers that require read access to a virtual directory.

Select Scripts to enable handlers that require script rights or clear Scripts to disable handlers that require script rights in a virtual directory.

Select Execute to enable handlers that require execute rights or clear Execute to disable handlers that require execute rights in a virtual directory. The Execute option is enabled only when Scripts is selected.

 

Content mostly from ServerFault

IIS

Comments


Leave a Comment