Configuring Web Service Extensions
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Many Web sites and applications hosted on IIS include dynamic content and other enhanced capabilities. Providing dynamic content and other enhanced capabilities requires executable code, such as ASP, ASP.NET, and Internet Server API (ISAPI) extensions. The handlers that extend IIS functionality beyond serving static pages are known as Web service extensions.
Because of the enhanced security features in IIS 6.0, you can enable or disable individual Web service extensions. After upgrade, all of the Web service extensions are enabled except for the extensions that are mapped to 404.dll by the IIS Lockdown Tool. If you did not run the IIS Lockdown Tool prior to upgrade, all of the Web service extensions are enabled.
The Windows Server 2003 upgrade creates a permission entry for Web service extensions, which enables all of the Web service extensions that are not explicitly prohibited. Enabling all of the Web service extensions ensures the highest possible compatibility with your Web sites. However, doing this creates a security risk by enabling functionality that might not be necessary for your server, which increases the attack surface of the server.
Note
Web service extensions allow you to enable and disable the serving of dynamic content Multipurpose Internet Mail Extensions (MIME) types allow you to enable and disable the serving of static content. For more information about enabling and disabling the serving of static content, see Configuring MIME Types.
Configure the Web service extensions after upgrade by completing the following steps:
Configure the Web service extensions list so that the following entries, which enable all Web service extensions, are set to Prohibited:
All Unknown Common Gateway Interface (CGI) Extensions
All Unknown ISAPI Extensions
For information about how to prohibit a Web service extension, see Configure Web Service Extensions.
Enable the essential predefined Web service extensions based on the information in Table 5.7.
Table 5.7 Predefined Web Service Extensions
Web Service Extension Enable When Active Server Pages
One or more of the Web sites or applications contains ASP content.
ASP.NET version 1.1.4322
One or more of the Web sites or applications contains ASP.NET content.
FrontPage Server Extensions 2002
One or more of the Web sites are FrontPage extended.
Internet Data Connector (IDC)
One or more of the Web sites or applications uses the IDC to display database information (content includes .idc and .idx files).
Server-Side Includes
One or more of the Web sites uses server-side include (SSI) directives to instruct the Web server to insert various types of content into a Web page.
Web Distributed Authoring and Versioning (WebDAV)
You want to support WebDAV on the Web server. Not recommended for dedicated Web servers.
For each Web service extension that is used by your applications and is not a one of the default Web service extensions, add a new entry to the Web service extensions list and configure the status of the new entry to Allowed.
For example, one of your applications might use an ISAPI extension to provide access to a proprietary database. Add the ISAPI extension to the Web service extensions list, and then configure the status of the ISAPI extension to Allowed.
For information about how to add a Web service extension and enable the extension, see Configure Web Service Extensions.
Use a Web browser on a client computer to verify that the Web sites and applications run on the server.