IIS: Grant a handler execute/script or write permissions, but not both

  • Article

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

The attribute 'accessPolicy' in the handlers section under path '<ConfigurationPath>' is set to allow both Execute/Script and Write permissions.

         Example configuration path: 'MACHINE\WEBROOT\APPHOST\Default Web Site\My App'

Impact

By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server.

Resolution

Determine if the handler requires both Execute/Script and Write permissions, and revoke the one that is not needed.

Important

You cannot make this configuration change by using IIS Manager.

To resolve this issue for a site or application, you must manually edit the accessPolicy attribute in the <handlers> section of the Web.config file for the site or application. To resolve this issue for a Web server, you must manually edit the attribute in the <handlers> section of the ApplicationHost.config file for the server. To edit the Web.config file or the AdministrationHost.config file by using Notepad, perform the following steps.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To manually edit the accessPolicy attribute

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Navigate to the location of the Web.config file or ApplicationHost.config file.

    a. To navigate to the default location of the Web.config file for the default Web site, type cd %systemdrive%\inetpub\wwwroot.

    b. To navigate to the default location of the ApplicationHost.config file, type cd %Windir%\system32\inetsrv\config.

  3. Type notepad web.config or notepad administrationhost.config.

  4. In notepad, click Edit, click Find, and type handlers accessPolicy.

  5. Click Find Next.

  6. Click Cancel to exit the Find dialog.

  7. Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present. The following is an example.

    <handlers accessPolicy="Read, Script">

  8. Click File, then click Save.

  9. Click File, then click Exit.

Important

The accessPolicy attribute setting applies to all handlers in the <handlers> section.

If you believe that the handler requires both Execute/Script and Write permissions, you can exclude the BPA non-compliance message from future scans by performing the following steps.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To exclude the BPA non-compliance message from future scans

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right click Server Manager and select Run as administrator.

  3. Expand Roles.

  4. Select Web Server (IIS).

  5. In the Best Practices Analyzer section, right-click the result that you want to exclude from future scans.

  6. Click Exclude Result.