Enabling Only Essential Web Service Extensions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

If your Web sites and applications that are hosted on IIS 6.0 have extended functionality beyond static Web pages, including the ability to generate dynamic content, any dynamic content served or extended features provided by the Web server are done through Web service extensions.

For security reasons, you can enable or disable individual Web service extensions in IIS 6.0. After a new installation, IIS serves only static content. You can enable dynamic content capabilities, such as ASP.NET, Server-Side Includes, Web Distributed Authoring and Version (WebDAV) publishing, and FrontPage 2002 Server Extensions, in the Web Service Extensions node in IIS Manager.

For example, one of your applications might use a custom Internet Server API (ISAPI) extension to provide access to a proprietary database. First, you need to add the custom ISAPI extension to the Web service extensions list. Then you can set the ISAPI extension that is used by the application to Allowed, explicitly granting it permission to run.

Enabling all of the Web service extensions ensures the highest possible compatibility with existing applications, regardless of whether you enable each of the Web service extensions individually or change the status of All Unknown ISAPI Extensions to Allowed. However, enabling all of the Web service extensions creates a security risk because it increases the attack surface of the Web server by enabling functionality that might be unnecessary for your server.

Web service extensions allow you to enable and disable the serving of dynamic content. MIME types allow you to enable and disable the serving of static content.

Tip

If the appropriate Web service extension is not enabled, the Web server returns a 404 error to the client when attempting to serve the dynamic content. When the 404 error is returned as a result of a Web service extension not being enabled, a 404.2 error entry is placed in the IIS log. For more information about troubleshooting IIS, see Troubleshooting in IIS 6.0.

Configure the Web service extensions by completing the following steps:

  1. Enable the essential predefined Web service extensions based on the information in Table 3.1.

    Table 3.7   Predefined Web Service Extensions

    Web Service Extension Description

    Active Server Pages

    Enable this extension when one or more of the Web sites and applications contains ASP content.

    ASP.NET version 1.1.4322

    Enable this extension when one or more of the Web sites and applications contains ASP.NET content.

    FrontPage Server Extensions 2002

    Enable this extension when one or more of the Web sites use FrontPage Server Extensions.

    Internet Data Connector

    Enable this extension when one or more of the Web sites and applications uses the Internet Data Connector (IDC) to display database information (content includes .idc and .idx files).

    Server-Side Includes

    Enable this extension when one or more of the Web sites use server-side include (SSI) directives to instruct the Web server to insert various types of content into a Web page.

    WebDAV

    Enable this extension when you want to support WebDAV on the Web server. This Web service extension is not recommended on a dedicated Web server.

  2. For each Web service extension that is used by your Web sites and applications and that is not one of the default Web service extensions, add a new entry to the Web service extensions list and configure the status of the new entry to Allowed. For information about how to add a Web service extension to the list, see Configure Web Service Extensions.

  3. Use a Web browser on a client computer to verify that the Web sites and applications function properly on the server.