Edit Feature Permissions for the Handler Mappings Feature (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Configure feature permissions to set the access policy that specifies the type of permissions that are allowed for all handlers at the Web server, site, application, directory, or file levels in IIS. The feature permissions that you can enable or disable in the access policy are: read, scripts, and execute. The access policy, together with a handler's required access setting, determines whether a handler can run. If a handler requires a type of feature permission that is not enabled in the access policy, the handler will be disabled and all requests that are processed by that handler (based on the handler mapping) will fail, unless there is another handler that can process the request.
In IIS Manager, the required access setting for a handler is in the Request Restrictions dialog box on the Access tab. This setting maps to the requireAccess attribute on the handler mapping in the <handlers> configuration section. For more information about how to configure the required access setting for a handler mapping, see Configure Request Restrictions for a Handler Mapping (IIS 7).
For example, you might enable Read and Scripts at the Web server level, but decide to disable Scripts for a specific site that serves only static content. This prevents the server from running scripts for that site if a user adds a handler mapping for a script or executable at the site level.
Because the access level that is required by a handler is controlled by the requireAccess attribute in a handler mapping, you must make sure that the required access setting for a handler is correct or else the handler may run unintentionally. For example, if you change the required access from Execute to Read for ISAPI-dll handler in a configuration file, ISAPI extensions will be able to run for sites or applications that use that configuration file, even if only Read is enabled in the access policy.
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Handler Mappings Feature Requirements (IIS 7).
Exceptions to feature requirements
To configure handler permissions
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
To use the UI
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, on the server, site, or applicationHome page, double-click Handler Mappings.
In the Actions pane, click Edit Feature Permissions.
In the Edit Feature Permissions dialog box, do the following:
Select Read to enable handlers that require read access or clear Read to disable handlers that require read access to a virtual directory.
Select Scripts to enable handlers that require script rights or clear Scripts to disable handlers that require script rights in a virtual directory.
Select Execute to enable handlers that require execute rights or clear Execute to disable handlers that require execute rights in a virtual directory. The Execute option is enabled only when Scripts is selected.
For security and performance reasons, you should enable executable rights only for programs that you have tested and that your applications require.
- Click OK.
To configure the access policy for the handlers feature, use the following syntax:
appcmd set config /section:handlers /accessPolicy: NoRemoteScript|NoRemoteExecute|NoRemoteRead|NoRemoteWrite|Script|Source|Execute|Write|Read|None
You can specify one or more of the options for the accessPolicy attribute, or specify None. If you specify more than one value, separate each value with a comma (,). For example, to enable handlers that require Read or Script rights, type the following at the command prompt, and then press ENTER:
appcmd set config /section:handlers /accessPolicy:Read,Script
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
The procedure in this topic affects the following configuration elements:
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
Use the following WMI classes, methods, or properties to perform this procedure:
- HandlerAction.RequireAccess property
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.