How to Configure Execute Permissions in IIS 7 to Block Script Execution on Specific Folders


4 views

Unlike IIS 6 where execute permissions were controlled through a simple dropdown in folder properties, IIS 7 and later versions implement this functionality through the Handler Mappings feature in the Request Processing section.

<configuration>
  <system.webServer>
    <handlers>
      <remove name="ASPClassic" />
      <remove name="PageHandlerFactory-ISAPI-2.0" />
    </handlers>
  </system.webServer>
</configuration>
  1. Open IIS Manager and navigate to your target folder
  2. Double-click Handler Mappings
  3. In the Actions pane, click Open Feature
  4. For each script handler (ASP, ASP.NET, PHP, etc.), select and click Remove

For granular control, use this web.config snippet to disable specific handlers:

<location path="RestrictedFolder">
  <system.webServer>
    <handlers accessPolicy="Read" />
  </system.webServer>
</location>

Create a test.asp file in your restricted folder with this content:

<% Response.Write("This should not execute") %>

Attempt to access it - you should receive a 404.7 or 403 error if configuration is correct.

In IIS6 and earlier versions, administrators could easily restrict script execution by setting the "Execute Permissions" to "None" in the directory properties. This was particularly useful for upload directories or folders containing static content that shouldn't process server-side scripts. With IIS7's completely redesigned architecture, this functionality still exists but is implemented differently through the Handler Mappings feature.

To achieve the same behavior in IIS7:

  1. Open IIS Manager and navigate to your site
  2. Select the directory you want to modify
  3. In the Features View, double-click "Handler Mappings"
  4. In the Actions pane, click "Open Feature"

For those who prefer programmatic configuration or need to automate deployment, you can achieve this through the applicationHost.config or web.config file:

<configuration>
  <location path="YourDirectoryPath">
    <system.webServer>
      <handlers>
        <remove name="ASPClassic" />
        <remove name="PageHandlerFactory-ISAPI-4.0_32bit" />
        <remove name="PageHandlerFactory-ISAPI-4.0_64bit" />
        <remove name="PageHandlerFactory-Integrated" />
      </handlers>
    </system.webServer>
  </location>
</configuration>

Another effective method is to use the Request Filtering feature:

<system.webServer>
  <security>
    <requestFiltering>
      <fileExtensions allowUnlisted="true">
        <add fileExtension=".asp" allowed="false" />
        <add fileExtension=".aspx" allowed="false" />
        <add fileExtension=".php" allowed="false" />
      </fileExtensions>
    </requestFiltering>
  </security>
</system.webServer>

After implementing these changes, verify by:

  1. Uploading a test script file to the restricted directory
  2. Attempting to access it through a browser
  3. Confirming you receive a 404.7 or 404.3 error (indicating successful restriction)