IIS: The configuration attribute notListedIsapisAllowed should be false

  • Article

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

The configuration attribute notListedIsapisAllowed in section system.webServer/security/isapiCgiRestriction is set to true.

Impact

Any unlisted ISAPI extension, including potentially malicious extensions, will be allowed to run.

Resolution

Set notListedIsapisAllowed to false and add each ISAPI extension to the list of allowed extensions.

The notListedIsapisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the <isapiCgiRestriction> element of the <system.webServer> section under <security>. To use IIS Manager to set the notListedIsapisAllowed attribute to false and to add an ISAPI extension to the list of allowed extensions, perform the following procedures.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To set the notListedIsapisAllowed attribute to false

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In Features View, select ISAPI and CGI Restrictions. In the Actions pane, select Open Feature.

  5. In the Actions pane, select Edit Feature Settings.

  6. In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified ISAPI modules check box.

  7. Click OK to exit the Edit ISAPI and CGI Restrictions Settings dialog.

To add an ISAPI extension to the set of allowed extensions

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In Features View, select ISAPI and CGI Restrictions. In the Actions pane, select Open Feature.

  5. In the Actions pane, select Add.

  6. In the Add ISAPI and CGI Restriction dialog, under ISAPI or CGI path, enter the file path of the ISAPI extension that you want to add, or click the ... button to browse to the ISAPI file location and select the ISAPI file.

  7. Under Description, enter the description you want for the ISAPI extension. Your description will appear in the Description column in the ISAPI and CGI Restrictions page in IIS Manager.

  8. Select the Allow extension path to execute check box. This will enable the ISAPI extension that you have selected.

  9. Click OK to exit the Edit ISAPI and CGI Restrictions Settings dialog.

In IIS Manager, the Description column will display the description that you created for your ISAPI extension. The Restriction column will display Allowed, and the Path column will display the file path to the ISAPI that you specified.