Restrictive MIME Types Reduce the Attack Surface of IIS
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
To help prevent attackers from sending files that could compromise the security of your Web server, the IIS static file handler serves only the files that are explicitly listed in the list of Multipurpose Internet Mail Extensions (MIME) types. IIS is preconfigured to recognize a default set of global MIME types that are recognized by all of the Web sites that you create with IIS.
If the default list of registered MIME types is too restrictive and you want to allow IIS to serve other file types, you can add allowable MIME types on a global basis or for a specific Web site or directory.
For more information about MIME types, see Working with MIME Types.
Allowing All Extensions
In IIS 5.0, if a request fell through the static file handler, IIS served the file, regardless of its extension. IIS 6.0 does not automatically serve file requests that fall through the static file handler. Although it is not generally recommended as a best security practice, you might want to allow all file extensions in some scenarios — for example, if you want to serve files that have ascending extensions such as .001, .002, and so on. If you want to serve all files, you can add a wildcard character (*) to the MIME types list. Files that do not have extensions can be served only if the wildcard character is added to the list.
You can add a wildcard character through IIS Manager, or you can add one programmatically by using the Adsutil.vbs command-line script. For information about adding a wildcard character through IIS Manager, see Creating Global MIME Types and Creating MIME Types for a Web site or directory.
To add a wildcard programmatically by using Adsutil.vbs, use the customizable text file provided in Listing 5.1.
Important You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any known parameters).
Listing 5.1 Sample Script for Adding Wildcards
c:\inetpub\adminscripts\adsutil.vbs set /w3svc/MimeMap ".*,common/type" Sample ' VBScript source code Const ADS_PROPERTY_UPDATE = 2 Set MimeMapObj = GetObject("IIS://LocalHost/MimeMap") aMimeMap = MimeMapObj.GetEx("MimeMap") ' Add a new mapping. i = UBound(aMimeMap) + 1 Redim Preserve aMimeMap(i) Set aMimeMap(i) = CreateObject("MimeMap") aMimeMap(i).Extension = ".*" aMimeMap(i).MimeType = "common/type" MimeMapObj.PutEx ADS_PROPERTY_UPDATE, "MimeMap", aMimeMap MimeMapObj.SetInfo
For more information about using adsutil.vbs, see Using the Adsutil.vbs Administration Script.