Services Products About Us Case Studies Clients
Modern Signal
Modern Signal Home Page
Lighthouse on beach About Us
Offering a full range of development services: strategy, design, application programming, database development
News & Recents Projects

Disabling Script Execution in a Directory in IIS7

Last night I was trying to disable script execution in the uploads folder of a site running in IIS (Windows 2008).  It is also running ColdFusion, which turned out to be important.  I ran into a couple problems.

The first was that I had no idea how to do that in IIS7.  I knew how to do it in IIS6, but everything is different in IIS7.  I thought I would be able to just find it, but after poking around for a while, I gave up and ran to Google.  Turns out the new location to set this is in Handler Mappings.  If you go to the Handler Mappings feature for a directory and click on "Edit Feature Permissions...", you can uncheck the "Script" permission.

So I did that, and I thought I was done, but then I noticed that not only could I not run scripts from the directory, but trying to access a static file, such as a gif, also gave me a "403 Access Denied" message.  Strange.

It turns out that ColdFusion installs a wildcard script map, which means that it is set up to handle all files, even static ones.  I don't know what the reason for this is (and I would love to find out if anybody knows), but it was getting in the way of the default static file handler.  I had to remove that handler for the directory in order for the static files to be served properly.

Posted on July 28, 2009 11:14:36 AM EDT by David Hammond

Comments

David Hammond's Globally Recognized Avatar One update. I just had to do this again, and I noticed that this time the second step (removing the CF mapping) was not necessary. Disabling scripts for the directory automatically disabled all of the script-related mappings. Not sure if IIS has been patched since I tried this last, or if there was something else different in the circumstances, but there you are.

Posted on February 2, 2010 11:15:05 AM EST by David Hammond

Doug's Globally Recognized Avatar Thank you for the information!! I appreciate it.
It's exactly the same situation for me... IIS & CF.
It essentially makes it a dead directory to execute anything, including displaying images directly in that directory, but accessing from other directories is perfect.

Posted on February 22, 2010 7:58:15 PM EST by Doug

vdub's Globally Recognized Avatar I have the same proble and am looking at the handler mappings. Is the CF the one that says STATICFILES with *? Can I just disable that one?

Posted on March 15, 2010 10:20:46 AM EDT by vdub

David Hammond's Globally Recognized Avatar I should have been more specific. The mapping that ColdFusion uses is actually named something like "AboMapperCustom-71305919" with a path of "*". That needs to be removed.

Posted on March 15, 2010 10:47:13 AM EDT by David Hammond

Asha's Globally Recognized Avatar HI,

I just tried disabling script permissions for a directory IIS7 but my wildcard handler mapping doesnt get disbaled for some reason.Can you please let me know if you know of any such behaviour.

Thanks,
Asha.

Posted on May 19, 2010 8:32:46 AM EDT by Asha

Topics for this page:
January 2012 --

Charm City Run updates its site to include new Baltimore location. This site-wide project included refreshing header images with photos of customers and events, expanding the site navigation to include a new resources section, and enhancing ways for customers to interact through Charm City Run's many social media channels.

Charm City Run website

October 2011 -- Society for Developmental Biology launches SDB Collaborative Resources (CoRe), an online reference database of peer-reviewed images, movies, and diagrams for learning and teaching developmental biology.
September 2011 -- Millmark launches site for ConceptLinks Inquiry, a subscription-based online curriculum targeted at earth, life, and physical science concepts for grades 2-8.
September 2011 -- The 2012 International Builders’ Show website launches, unveiling the 2012 design and new tools for highlighting community sponsorships, special show events, and featured exhibitors. The site also includes expanded interactive features for attendees and exhibitors, including polls, logistics management tools, and social media.
August 2011 -- Modern Signal awarded contract to rebrand, redesign and develop new phase of PSLawnet.org, a comprehensive directory of legal public sectors jobs postings.
Copyright 2004-2012 Modern Signal, LLC