Home / server / Questions / 575481
Accepted
William Jens
Asked: 2014-02-14 15:31:33 +0800 CST

How do I disable server side code on iis 7.5?

  • 772

I want to setup a website that can't execute any server side code (asp, asp.net, etc.).

I've tried using an application pool that has "No Managed Code" as the .NET Framework version, but classic asp code still executes.

I tried removing all ISAPI Filters but that didn't help.

Removing the ".asp" Handler Mapping worked. Should I remove all *.[ext] handlers to lock it down further?

I still need to run code on some sites, but I'd like to be able to offer vanilla web hosting on sites as needed.

iis-7.5

3 Answers

  1. The safest way to do this is by adding the following to your web.config

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <location path="" allowOverride="false">
        <system.webServer>
            <handlers accessPolicy="Read" />
        </system.webServer>
    </location>
</configuration>

    It does the same as what William Jens does. However the <location path="" allowOverride="false"> adds a security measure to prevent overrides of the web.config file in subdirectories.

    It's worth nothing that you still need to prevent modifications to the root web.config file. For example by making it read only.

    • 1

  2. You can select which features of IIS are installed and available in the server; if you remove all application development features, the web server will not process any server-side code.

    http://technet.microsoft.com/en-us/library/cc753473.aspx

    • 0
  3. Best Answer

    After some more tinkering, I think I figured it out.

    IIS Manager > [My Site] > Handler Mappings > Edit Feature Permissions > uncheck "Script"

    This disables most of the handlers, which prevents classic asp & asp.net files from running, but still serves up html.

    Not sure if this is the correct way, but it appears to work.

    • 0