Enabling Only the Required ISAPI Extensions
IIS 6.0 provides
support for ISAPI extensions, which allows third parties to extend IIS
request processing by returning responses for specific content types.
IIS 7.0 replaces ISAPI extensions with IIS 7.0 modules as a preferred
mechanism for extending IIS. However, IIS 7.0 continues to support ISAPI
extensions for backward compatibility reasons.
Note
To
enable ISAPI extensions to work on IIS 7.0, the ISAPI Extensions role
service must be installed. This role service installs the IsapiModule
module, which provides support for hosting ISAPI extensions. If this
module is removed, ISAPI extensions will not be loaded. This role
service is not enabled by default, but it is enabled when ASP.NET is
installed. |
Today,
dynamic application framework technologies frequently use ISAPI
extensions to interface with IIS. Therefore, it is likely that if you
are using dynamic application technologies, you will need to use ISAPI
extensions. For example, both ASP.NET (for Classic mode applications)
and ASP are implemented as ISAPI extensions.
If your Web server
uses ISAPI extensions, to minimize the Web server surface area you
should ensure that only the required ISAPI extensions are enabled.
Note
You must be a server administrator to enable ISAPI extensions. |
To properly configure ISAPI extensions, you should take the following steps:
1. | If your Web server uses ISAPI extensions, install the ISAPI Extensions role service.
Without this role service, the ISAPI extensions will not be loaded, and
requests to resources mapped to ISAPI extensions will return errors.
|
2. | If your Web server does not use ISAPI extensions, do not install the ISAPI Extensions role service. This eliminates the possibility of unwanted ISAPI extensions being configured on your server.
|
3. | Configure the allowed ISAPI extensions.
Each ISAPI extension must be allowed to execute on the server before it
can be used. You can use IIS Manager to configure all ISAPI extensions
that are allowed to execute on the server. Doing so is explained in more
detail later in this section. Exercise extreme caution when allowing
third-party ISAPI extensions and be sure you trust their source.
Installing untrusted or buggy ISAPI extensions can compromise the
security of the Web server or negatively affect its reliability.
|
4. | Configure the desired handler mappings.
To use ISAPI extensions, you need to create handler mappings that map
allowed ISAPI extensions to specific content types in your application.
|
You must explicitly
allow any ISAPI extension that has to execute on your server. When you
allow a specific ISAPI extension path, any application on the server can
load this extension, if the server configures a handler mapping to this
extension. Table 1 specifies the common ISAPI extensions and when they are installed.
Table 1. Common ISAPI Extensions
| ISAPI Extension | Default State | When Installed |
|---|
| Active Server Pages | Allowed | ASP role service is installed |
| ASP.NET v1.1.4322 | Not Allowed | .NET Framework v1.1 SP1 is installed |
| ASP.NET v2.0.50727 | Allowed | ASP.NET role service is installed |
On IIS 6.0, you have to
explicitly allow the ISAPI extensions corresponding to ASP and ASP.NET
2.0. On IIS 7.0, these ISAPI extensions are automatically allowed when
you install the corresponding role services. In addition, only ASP.NET
applications running in Classic mode use the ASP.NET 2.0 ISAPI
extension. It is a more reliable practice to use the roles or features
wizards to control the availability of these features, instead of
allowing or not allowing them in the ISAPI and CGI Restrictions.
However, you still need to manually enable the ISAPI extension for
ASP.NET v1.1.
On IIS 6.0, you can
allow an ISAPI extension in the Web Service Extension Restriction List.
On IIS 7.0, you can use IIS Manager to do this by clicking the Web
server node in the tree view and then double-clicking ISAPI And CGI
Restrictions to open the feature shown in Figure 3.
To add a new ISAPI extension, click Add in the Actions pane and then
enter the exact path of the ISAPI extension. If you would like to allow
the ISAPI extension to execute, check the Allow Extension Path To
Execute check box. You can also allow or deny existing extensions.
In addition to using IIS Manager, you can also edit the system.webServer/security/isapiCgiRestriction
configuration section directly by using the Appcmd command line tool or
with another configuration API.
Enabling Only the Required CGI Programs
IIS 7.0 continues to support CGI programs as one of the ways to extend the functionality of the Web server.
Note
To
enable CGI programs to work on IIS 7.0, the CGI role service must be
installed. This role service installs the CgiModule module, which
provides support for launching CGI programs. If this module is removed,
CGI programs will not be usable. This role service is not enabled by
default. |
By default, IIS 7.0
does not provide any CGI programs, so they should be used only if your
application uses third-party CGI programs. If it does, you should ensure
that only the required CGI programs are allowed to minimize the Web
server surface area.
Note
You must be a server administrator to allow CGI programs. |
To properly configure CGI programs, you should take the following steps:
1. | If your Web server uses CGI programs, install the CGI role service.
Without this role service, the CGI programs will not be created, and
requests to resources mapped to CGI programs will return errors.
|
2. | If your Web server does not use CGI programs, do not install the CGI role service. This eliminates the possibility of unwanted CGI programs being configured on your server.
|
3. | Configure the allowed CGI programs.
Each CGI program must be allowed to execute on the server before it can
be used. You can use IIS Manager to configure all CGI programs that are
allowed to execute on the server. This is explained in more detail
later in this section. Exercise extreme caution when allowing
third-party CGI programs and be sure you trust their source. Installing
untrusted or buggy CGI programs can compromise the security of the Web
server or negatively affect its reliability.
|
4. | Configure the desired handler mappings.
To use CGI programs, you need to create handler mappings that map
allowed CGI programs to specific content types in your application.
|
Similar
to ISAPI extensions, you must explicitly allow any CGI program that has
to execute on your server. When you allow a specific CGI program path,
this CGI program can now be launched by any application on the server
that configures a handler mapping to this CGI program. To be allowed,
each allowed CGI program entry must specify the full path and arguments
exactly the same way they are specified in each handler mapping. CGI
programs are allowed in the ISAPI and CGI Restrictions feature, similar
to the process described in the section titled “Enabling Only the Required ISAPI Extensions” earlier in this chapter.
Enabling Only the Required FastCGI Programs
IIS 7.0 supports
hosting FastCGI programs by using the FastCGI feature, which provides a
more reliable way to host many application frameworks than CGI does.
Note
To
enable FastCGI programs to work on IIS 7.0, the CGI role service must
be installed. This role service installs the FastCgiModule module, which
provides support for launching FastCGI programs. If this module is
removed, FastCGI programs will not be usable. This role service is not
enabled by default. |
By default, IIS 7.0
does not provide any FastCGI programs, so they should be used only if
your application uses third-party FastCGI programs. If so, to minimize
the Web server surface area, you should ensure that only the required
FastCGI programs are allowed.
Note
You must be a server administrator to allow FastCGI programs. |
To properly configure FastCGI programs, you should take the following steps:
1. | If your Web server uses FastCGI programs, install the CGI role service.
Without this role service, the FastCGI programs will not be usable, and
requests to resources mapped to FastCGI programs will return errors.
|
2. | If your Web server does not use FastCGI programs, do not install the CGI role service. This eliminates the possibility of unwanted FastCGI programs being configured on your server.
|
3. | Configure the allowed FastCGI programs.
Each FastCGI program must be allowed to execute on the server before it
can be used. Though there is no IIS Manager support for configuring
FastCGI programs that are allowed to execute on the server, you can do
this by editing the system.webServer/fastCgi configuration section. Exercise extreme caution
when allowing third-party FastCGI programs and be sure you trust their
source. Installing untrusted or buggy FastCGI programs can compromise
the security of the Web server or negatively affect its reliability. |
4. | Configure the desired handler mappings.
To use FastCGI programs, you need to create handler mappings that map
allowed FastCGI programs to specific content types in your application.
|
Unlike ISAPI
extensions and CGI programs, FastCGI programs are not allowed through
the ISAPI and CGI Restriction feature. Instead, in the system.webServer/fastCgi
configuration section, you need to create an entry for each allowed
FastCGI program.
