IIS: The configuration attribute notListedCgisAllowed should be false

  • Article

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

The configuration attribute notListedCgisAllowed in section system.webServer/security/isapiCgiRestriction is set to true.

Impact

Any unlisted CGI extension, including potentially malicious extensions, will be allowed to run.

Resolution

Set notListedCgisAllowed to false and add each CGI extension to the allowed list.

The notListedCgisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the <isapiCgiRestriction> element of the <system.webServer> section under <security>. To use IIS Manager to set the notListedCgisAllowed attribute to false and to add a CGI extension to the list of allowed extensions, perform the following procedures.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To set the notListedCgisAllowed attribute to false

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In Features View, select ISAPI and CGI Restrictions. In the Actions pane, select Open Feature.

  5. In the Actions pane, select Edit Feature Settings.

  6. In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified CGI modules check box.

  7. Click OK to exit the Edit ISAPI and CGI Restrictions Settings dialog.

To add a CGI extension to the set of allowed extensions

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In Features View, select ISAPI and CGI Restrictions. In the Actions pane, select Open Feature.

  5. In the Actions pane, select Add.

  6. In the Add ISAPI and CGI Restriction dialog, under ISAPI or CGI path, enter the file path of the CGI extension that you want to add, or click the ... button to browse to the CGI file location and select the CGI file.

  7. Under Description, enter the description you want for the CGI extension. Your description will appear in the Description column in the ISAPI and CGI Restrictions page in IIS Manager.

  8. Select the Allow extension path to execute check box. This will enable the CGI extension that you have selected.

  9. Click OK to exit the Edit ISAPI and CGI Restrictions Settings dialog.

In IIS Manager, the Description column will display the description that you created for your CGI extension. The Restriction column will display Allowed, and the Path column will display the file path to the CGI extension that you specified.