Removing Unused HTTP Handlers for Better Performance & Security

Question

Where can I get a list of what all of the default IIS HTTP handlers do? I need documentation!! I have read a few blogs which recommend removing dozens of unused HTTP handlers fo

Answer 1

If you really want a minimal set of handler mappings, I suggest you start clean, in your web.config remove all handlers and just use the StaticFile one:

Now add all the handlers you need back in, just for the bitness and mode you're running in.

For a basic MVC project it may be enough to add

---

What do all the handlers do?

I couldn't find any documentation either, so here's my attempt:

The handler mappings are defined in %SystemRoot%\System32\inetsrv\config\applicationHost.config - system.webServer/handlers

In my case there were 87 mappings.

50 of them are modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll" for ASP.NET. These cover all the various asp.net extentions and may exist for CLR versions 2.0 and 4.0 and for 32bit and 64bit. Most of them are for Classic Mode.

They usually handle the following extensions:

 *.       = ExtensionlessUrlHandler-ISAPI
 *.ashx   = SimpleHandlerFactory-ISAPI
 *.asmx   = WebServiceHandlerFactory-ISAPI
 *.aspq   = aspq-ISAPI
 *.aspx   = PageHandlerFactory
 *.axd    = AXD-ISAPI
 *.cshtm  = cshtm-ISAPI
 *.cshtml = cshtml-ISAPI
 *.rem    = HttpRemotingHandlerFactory-rem-ISAPI
 *.rules  = rules-ISAPI
 *.soap   = HttpRemotingHandlerFactory-soap
 *.svc    = svc-ISAPI
 *.vbhtm  = vbhtm-ISAPI
 *.vbhtml = vbhtml-ISAPI
 *.xamlx  = xamlx-ISAPI
 *.xoml   = xoml-ISAPI

If your project doesn't use certain extensions, you may remove these handlers.

Most handler mappings have a preCondition like apply in 32bit ApplicationPools, or when in Classic Mode. If you only ever run 64Big integrated mode, you can remove all classic mode and 32bit handler mappings.

If we look at *.cshtml for a Razor view file, you will find three mappings, two for ClassicMode in 32/64 bit which point to the ASP.NET ISAPI modules, but the third applies only in integrated mode and maps to HttpForbiddenHandler, because the MVC routing works differently in Integrated Mode and you never want to allow access to view files directly.

There may be IsapiModules for classic asp or CGI, like the ASP.NET mapping there are there to handle the requests for files with certain extensions.

The second biggest group are the type="System. handlers, lets look at them:

System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory

Handles *.rem and *.soap files in integrated mode. Can be removed if you are not using remoting.

System.ServiceModel.Activation.HttpHandler, System.ServiceModel.Activation

Handles certain WCF requests with *.rules,*.xoml,*.svc extensions.

System.Web.Handlers.AssemblyResourceLoader

Handles WebResource.axd requests, these may be used in WebForms, but usually not in MVC projects.

System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions

For handling ScriptResource.axd which provides JavaScript and CSS resources in WebForms.

System.Web.Handlers.TraceHandler

Handler for trace.axd to display ASP.NET trace information. On a production site, you want to remove this handler.

System.Web.Handlers.TransferRequestHandler

Used to handle extensionless requests in integrated mode. This forwards the request to the routing engine to decide how to handle these requests. More Info

System.Web.Handlers.WebAdminHandler

Handles WebAdmin.axd to display the ASP.NET Website Administration Toolkit, you can remove this if you don't use that builtin feature.

System.Web.HttpForbiddenHandler

Allows us to prevent access to any files with certain extensions. However it returns a 500 HTTP status and actually throws a System.Web.HttpException exception on the server. In my opinion there are better ways to blog certain extensions such as IIS Request Filtering.

System.Web.HttpMethodNotAllowedHandler

I think this one is no longer used in modern IIS, it returns a 405 HTTP status and also throws and HttpException

System.Web.HttpNotFoundHandler

Also, not longer in my current configuration. It throws a 404 HTTP exception.

System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions

Handles *.asmx and *_AppService.axd to support Web service calls via Ajax.

System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services

Also handles *.asmx web service requests in integrated mode for DOT.NET 2

System.Web.StaticFileHandler

Returns a static file, no longer used?

System.Web.UI.PageHandlerFactory

Handles ASP.NET WebForm pages .aspx in integrated mode.

System.Web.UI.SimpleHandlerFactory

Handles ASP.NET custom handlers .ashx in integrated mode.

System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting

Handles Windows Workflow Foundation services .xamlx in integrated mode.

---

more handlers:

modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"

This is usually the very last mapping to handle any requests that has not been handled by any of the previous handles path="*" verb="*". It actually uses three different modules. The StaticFileMode one looks for a physical file matching the requested URL, if not found, the DefaultDocumentModule looks for a default document in the same folder as the requested URL and if that is also not found, the DirectoryListingModule may display the content of the directory if enabled.

modules="ProtocolSupportModule"

This handles all requests for the HTTP verbs TRACE and OPTIONS, if you remove this mapping, all trace and options request will return a "405 Method not allowed"