I have read the CIS (Center for Internet Security) Workbench recommendations for IIS 10. They recommend to disable the allow unlisted file name extensions
