Important Changes in ASP

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

ASP has undergone several important changes and enhancements to improve security and performance:

Note

To learn about new ASP features, see What's New in ASP.

  • ASP Pages are Disabled by Default

  • Using Parent Paths

  • The "Templates Cached" Performance Counter

  • Global.asa Events

  • ASP Metabase Properties Removed

  • ASP Debugging

ASP Pages are Disabled by Default

Important

To help minimize the attack surface of the server, IIS 6.0 is not installed on Windows Server 2003 by default. When you first install IIS 6.0, it is locked down -- which means that only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on, including ASP, ASP.NET, CGI scripting, FrontPageĀ® 2002 Server Extensions from Microsoft, and WebDAV publishing. If you do not enable these features, IIS returns a 404 error. You can enable these features through the Web Service Extensions node in IIS Manager. For more information about how to troubleshoot 404 errors and other issues, see Troubleshooting in IIS 6.0.

Using Parent Paths

As a security precaution, the AspEnableParentPaths Metabase Property setting is now set to 0 by default. This affects your application if it has a Web page that contains the #include server-side include directive and uses ".." notation to refer to a parent directory.

The "Templates Cached" Performance Counter

The AspTemplatesCachedperformance counter now counts the number of cached ASP files, both on disk and in memory. In previous versions, because there was no disk-based caching, this counter referred only to the in-memory cache. There is also a new counter called AspInMemoryTemplatesCached that reflects the number of ASP pages in the memory cache; it's the number of templates cached in total memory.

Global.asa Events

Earlier versions of ASP executed events in the security context (or user identity) of the host process because during these events there is no user context. This caused problems such as access denied errors when writing to a file in the Session_OnEnd event. ASP, by default, now runs the global.asa events, Application_OnEnd, and Session_OnEnd, anonymously. This can be controlled by the metabase setting, AspRunOnEndAnonymously.

ASP Metabase Properties Removed

The following metabase settings are no longer used by ASP, even though they are still in the metabase for compatibility with existing administration scripts

Metabase Property Name

AspAllowOutOfProcComponents Metabase Property

AspTrackThreadingModel Metabase Property

AspExceptionCatchEnable Metabase Property

ASP Debugging

Because the worker process, W3WP, runs as the Network Service account in IIS 6.0 worker process isolation mode, you must configure Launch and Access permissions to enable ASP debugging for Script Debugger and Visual InterDev. For more information, see Enabling ASP Debugging.