What file extensions are blocked by default in IIS
Solution 1
Here's the list I build out of the IIS UI since I couldn't find it anywhere. Hope you find it helpful.
disallowed extensions
.asax
.ascx
.master
.skin
.browser
.sitemap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources
.mdb
.vjsproj
.java
.jsl
.ldb
.dsdgm
.ssdgm
.lsad
.ssmap
.cd
.dsprototype
.lsaprototype
.sdm
.sdmDocument
.mdf
.ldf
.ad
.dd
.ldd
.sd
.adprototype
.lddprototype
.exclude
.refresh
.compiled
.msgx
.vsdisco
.rules
Solution 2
If I'm not mistaken, you'll find them in the root web.config
of the machine:
%windir%\Microsoft.NET\Framework\framework_version\CONFIG
Which is also where you'll find the machine.config
file.
e.g.
<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
REF:
As to how you'd programmatically get to it - I haven't tried. The IIS_USRS built-in group has access to it and this doc expands on it.
Hth...
Michael Kennedy
Michael is an author, an instructor, and the technical curriculum director at DevelopMentor. He is also a co-creator and lead developer for LearningLine, DevelopMentor’s online training platform. Michael has been building commercial applications with .NET since its initial public beta in 2001. Prior to working with .NET, he spent years working with C++ on Windows and SGI platforms. He holds a Master’s degree in Mathematics from San Diego State University and is a Microsoft Certified Trainer. Michael has a broad background in software development. He has extensive experience in Windows UI technologies (WPF, Windows Forms, and MFC), web technologies (ASP.NET MVC, JavaScript, and IIS), data technologies (NoSQL, MongoDB, LINQ, Entity Framework, and ADO.NET), and software development process related methodologies (TDD, Unit Testing, Continuous Integration, TFS). In addition to teaching at DevelopMentor, you can find him speaking at conferences and user groups on topics such as NoSQL, MVC, and cloud computing.
Updated on July 30, 2022Comments
-
Michael Kennedy almost 2 years
Some files are not served off of IIS because they are typically part of the building blocks of the website itself. For ASP.NET these are files like *.cs, *.dll, *.config, *.cshtml, etc.
You can find a list of them tied up in the IIS management setting "Filter requests" here:
But if you need to programmatically access this list, it seems tough to find. Is there a good list of these default extensions?
BTW, the IIS website has info on how to enable / disable these globally here:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/fileextensions
-
Michael Kennedy over 11 yearsNice. Funny, I looked there. But for some reason search the file didn't turn it up. I was looking for a fileExtension section (which the IIS doc I referenced talks about). Good to know. I suspect you can access this using
ConfigurationManager
but I haven't tried that. Thanks.