Publishing .cs extensions and others in IIS 7.0

Question

I'm developing a Web application and running it using IIS. My application is a file server. I need to visualize files in the web browser and I have some troubles viewing some files or directories.

For example, I'm not able to view files with .cs extension or the content of directories called bin. The Web server returns a 404 for those URLs:

Server Error

HTTP Error 404 - File or directory not found.

Description: The resource you are looking for might have been removed, 
had its name changed, or is temporarily unavailable.

Server Version Information: Internet Information Services 7.0.

I guess that this is a kind of protection that IIS has. My questions are:

1. Do you know why IIS is filtering those files?
2. Do you know how to configure IIS to allow retrieving those URLS?

And the most important question for me:

• I need to deploy my Web application for many costumers, so I would like to configure it programatically. Do you know if it can be configured in the Web application, instead the IIS properly? In other case, how could I configure it with a script or similar?

Answer 1

Those files are filtered for security, for example if I know your website has a page at http://example.com/default.aspx I might be able to just download the code for that page by entering http://example.com/default.aspx.cs in my browser. Same goes for the bin folder.

How are you trying to display these files is it through your own UI or enabling directory browsing?

Answer 2

Well,

Finally I had to change the IIS settings, allowing to override the requestFiltering:

In file %systemroot%\System32\inetsrv\config\applicationHost.config change:
<section name="requestFiltering" overrideModeDefault="Allow" />

And then I used the following configuration in my Web.config: Note that now all the files in the Web server are unprotected. You need to setup your rules in order to protect your bin directory, and also your code files, or whatever you want.

  <system.webServer>
    <security>
      <!-- Very important, the IIS configuration must have the 
           overrideModeDefault to allow in the file  
           %systemroot%\System32\inetsrv\config\applicationHost.config -->
      <!-- section name="requestFiltering" overrideModeDefault="Allow" /> -->
      <requestFiltering>
        <fileExtensions allowUnlisted="true">
          <remove fileExtension=".asa" />
          <remove fileExtension=".asax" />
          <remove fileExtension=".ascx" />
          <remove fileExtension=".master" />
          <remove fileExtension=".skin" />
          <remove fileExtension=".browser" />
          <remove fileExtension=".sitemap" />
          <remove fileExtension=".config" />
          <remove fileExtension=".cs" />
          <remove fileExtension=".csproj" />
          <remove fileExtension=".vb" />
          <remove fileExtension=".vbproj" />
          <remove fileExtension=".webinfo" />
          <remove fileExtension=".licx" />
          <remove fileExtension=".resx" />
          <remove fileExtension=".resources" />
          <remove fileExtension=".mdb" />
          <remove fileExtension=".vjsproj"  />
          <remove fileExtension=".java" />
          <remove fileExtension=".jsl"  />
          <remove fileExtension=".ldb" />
          <remove fileExtension=".dsdgm" />
          <remove fileExtension=".ssdgm" />
          <remove fileExtension=".lsad" />
          <remove fileExtension=".ssmap" />
          <remove fileExtension=".cd" />
          <remove fileExtension=".dsprototype" />
          <remove fileExtension=".lsaprototype" />
          <remove fileExtension=".sdm" />
          <remove fileExtension=".sdmDocument" />
          <remove fileExtension=".mdf" />
          <remove fileExtension=".ldf" />
          <remove fileExtension=".ad" />
          <remove fileExtension=".dd" />
          <remove fileExtension=".ldd" />
          <remove fileExtension=".sd" />
          <remove fileExtension=".adprototype" />
          <remove fileExtension=".lddprototype" />
          <remove fileExtension=".exclude" />
          <remove fileExtension=".refresh" />
          <remove fileExtension=".compiled" />
          <remove fileExtension=".msgx" />
          <remove fileExtension=".vsdisco" />
        </fileExtensions>
        <hiddenSegments>
          <remove segment="web.config" />
          <remove segment="bin" />
          <remove segment="App_code" />
          <remove segment="App_GlobalResources" />
          <remove segment="App_LocalResources" />
          <remove segment="App_WebReferences" />
          <remove segment="App_Data" />
          <remove segment="App_Browsers" />
        </hiddenSegments>        
      </requestFiltering>
    </security>
    ...
 </system.webServer>

Answer 3

I would suggest that you're doing things wrong. You don't want IIS to serve your files directly from disk for a variety of reasons (for example, any .html or .xml file will get renedered then, rather than downloading its contents).

What you want to do is have your code send the files to the user, rather than letting IIS do it. This will bypass IIS's restrictions (beacuse it's you sending the code, not it) and it will still keep IIS's restrictions in place for your applications folder structure.

Answer 4

This is a security measure due to asp.net being installed on the system.

From Microsoft

All requests with /bin in the URL are rejected and return a 404 error (IIS 6.0)

This occurs when IIS 6.0 and ASP.NET are both installed. In order to take a more proactive stance against malicious users and attackers, the ASP.NET ISAPI filter, aspnet_filter.dll, blocks incoming request containing /bin in the URL. This behavior occurs server-wide, regardless whether the request is for static or dynamic content.

The preferred solution to this issue is to modify the path to content on the server so that /bin is not necessary in any request.

If the content URL cannot be modified, an alternative solution is to set a registry key that stops the ASP .NET ISAPI filter from filtering requests containing /bin in the URL. This is a server-wide setting.

Better to avoid all /bin folders than enable that on your server

To enable serving .cs files try this Serverfault article https://serverfault.com/questions/175499/serving-cs-csproj-files-on-iis7-5

As their suggestion is a webconfig fix, you can apply it on a per site basis as you wanted.

Answer 5

When you install the .NET Framework and register ASP.NET will will by default tell IIS to not serve these files. If you REALLY want around this you will need to modify the Request Filtering section in IIS.

The bellow example shows how you would enable .cs extensions:

<system.webServer>
    <security>
        <requestFiltering>
            <fileExtensions>
                <remove fileExtension=".cs" />
                <add fileExtension=".cs" allowed="true" />
            </fileExtensions>
        </requestFiltering>
    </security>
</system.webServer>