Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What file extensions are blocked by default in IIS

Some files are not served off of IIS because they are typically part of the building blocks of the website itself. For ASP.NET these are files like *.cs, *.dll, *.config, *.cshtml, etc.

You can find a list of them tied up in the IIS management setting "Filter requests" here:

Filter requests

But if you need to programmatically access this list, it seems tough to find. Is there a good list of these default extensions?

BTW, the IIS website has info on how to enable / disable these globally here:

http://www.iis.net/configreference/system.webserver/security/requestfiltering/fileextensions

like image 259
Michael Kennedy Avatar asked Oct 10 '12 21:10

Michael Kennedy


2 Answers

If I'm not mistaken, you'll find them in the root web.config of the machine:

%windir%\Microsoft.NET\Framework\framework_version\CONFIG

Which is also where you'll find the machine.config file.

e.g.

<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

REF:

  • Technet: working with config files
  • KB: Use ASP.NET to Protect File Types

As to how you'd programmatically get to it - I haven't tried. The IIS_USRS built-in group has access to it and this doc expands on it.

Hth...

like image 161
EdSF Avatar answered Oct 04 '22 20:10

EdSF


Here's the list I build out of the IIS UI since I couldn't find it anywhere. Hope you find it helpful.

disallowed extensions

.asax
.ascx
.master
.skin
.browser
.sitemap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources
.mdb
.vjsproj
.java
.jsl
.ldb
.dsdgm
.ssdgm
.lsad
.ssmap
.cd
.dsprototype
.lsaprototype
.sdm
.sdmDocument
.mdf
.ldf
.ad
.dd
.ldd
.sd
.adprototype
.lddprototype
.exclude
.refresh
.compiled
.msgx
.vsdisco
.rules
like image 20
Michael Kennedy Avatar answered Oct 04 '22 21:10

Michael Kennedy