What file extensions are blocked by default in IIS

Question

Some files are not served off of IIS because they are typically part of the building blocks of the website itself. For ASP.NET these are files like *.cs, *.dll, *.config, *.cshtml, etc.

You can find a list of them tied up in the IIS management setting "Filter requests" here:

But if you need to programmatically access this list, it seems tough to find. Is there a good list of these default extensions?

BTW, the IIS website has info on how to enable / disable these globally here:

http://www.iis.net/configreference/system.webserver/security/requestfiltering/fileextensions

Answer 1

on localhost you can alter the applicationHost.config file, a systems file that you can edit in VS and go to the requestFiltering section, change and save.

Answer 2

If I'm not mistaken, you'll find them in the root web.config of the machine:

%windir%\Microsoft.NET\Framework\framework_version\CONFIG

Which is also where you'll find the machine.config file.

e.g.

<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

REF:

• Technet: working with config files
• KB: Use ASP.NET to Protect File Types

As to how you'd programmatically get to it - I haven't tried. The IIS_USRS built-in group has access to it and this doc expands on it.

Hth...

Answer 3

Here's the list I build out of the IIS UI since I couldn't find it anywhere. Hope you find it helpful.

disallowed extensions

.asax
.ascx
.master
.skin
.browser
.sitemap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources
.mdb
.vjsproj
.java
.jsl
.ldb
.dsdgm
.ssdgm
.lsad
.ssmap
.cd
.dsprototype
.lsaprototype
.sdm
.sdmDocument
.mdf
.ldf
.ad
.dd
.ldd
.sd
.adprototype
.lddprototype
.exclude
.refresh
.compiled
.msgx
.vsdisco
.rules