What file extensions are blocked by default in IIS

Question

Some files are not served off of IIS because they are typically part of the building blocks of the website itself. For ASP.NET these are files like *.cs, *.dll, *.config, *.

Answer 1

If I'm not mistaken, you'll find them in the root web.config of the machine:

%windir%\Microsoft.NET\Framework\framework_version\CONFIG

Which is also where you'll find the machine.config file.

e.g.

<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

REF:

• Technet: working with config files
• KB: Use ASP.NET to Protect File Types

As to how you'd programmatically get to it - I haven't tried. The IIS_USRS built-in group has access to it and this doc expands on it.

Hth...

Answer 2

on localhost you can alter the applicationHost.config file, a systems file that you can edit in VS and go to the requestFiltering section, change and save.

Answer 3

Here's the list I build out of the IIS UI since I couldn't find it anywhere. Hope you find it helpful.

disallowed extensions

.asax
.ascx
.master
.skin
.browser
.sitemap
.config
.cs
.csproj
.vb
.vbproj
.webinfo
.licx
.resx
.resources
.mdb
.vjsproj
.java
.jsl
.ldb
.dsdgm
.ssdgm
.lsad
.ssmap
.cd
.dsprototype
.lsaprototype
.sdm
.sdmDocument
.mdf
.ldf
.ad
.dd
.ldd
.sd
.adprototype
.lddprototype
.exclude
.refresh
.compiled
.msgx
.vsdisco
.rules