Configuring Handler Mappings
When
you add the Web Server (IIS) role to Windows Server 2008, a default set
of handler mappings are defined for the Web server and for the default
Web site. New Web sites and Web applications are also configured with a
default set of handler mappings. In addition, when you add role
services to the Web Server (IIS) role, additional handler mappings
might be added automatically to the configuration.
You
can use IIS Manager to configure handler mappings. After you have
connected to an installation of IIS, you must choose at which level you
want to configure mappings. You can configure mappings at the following
levels:
Web Server
Web Sites
Web Applications
Virtual Directories
Web Folders
Child
items in the hierarchy automatically inherit handler mappings. For
example, a child item automatically inherits the default handler
mappings for a new Web application from the configuration of the parent
Web site. Settings made at lower levels override the settings from
higher levels. This enables a specific Web application to support a
certain type of file content (such as ASP.NET pages) whereas other
applications and the parent Web site might support only static content.
To
view the handler mappings that are configured at a specific level,
click the relevant object in the left pane of IIS Manager. Then, select
Handler Mappings from the Features View in the center pane. Figure 13 shows the handler mappings that are defined for a Web site.
The
display includes information about all the handler mappings defined at
the selected level. The name specifies information about the request
handler itself. Examples include StaticFile and ASPClassic. Built-in
handler mappings have default names, but administrators can provide
names for new mappings when they are created. The Path column shows the
specific request extensions for which the handler will be used.
The
State column specifies whether the handler is enabled or disabled. If
the handler is disabled, requests that match the mapping will not be
processed. The Handler column specifies details about the program that
is to be called. Finally, the Entry Type specifies whether the handler
mapping is inherited from a parent object or is Local (defined directly
for this object).
You
can use the Group By drop-down list to view handler mappings based on
different criteria. The Entry Type shows which settings have been
inherited from parent objects and which handlers are configured
directly for the selected object. The State grouping shows which
handler mappings are enabled and which are disabled. These view options
make it easy to determine the security attack surface for each
component of the Web server.
Removing Handler Mappings
To
secure your Web content, it is a good idea to remove any request
handlers that you know will not be required when running in production.
To remove a handler mapping, click it, and then select the Remove
command from the Actions pane. After a handler is removed, requests for
the types of content that it handled will not be processed. For
example, Figure 14
shows the result that is returned to a local Web browser when the
StaticFile request handler has been removed for the Web application. In
this case, the request file (default.htm) is present in the Web
application folder. However, because no request handler is available
for the .htm file extension, the request cannot be processed. To the
requester, it appears that the file does not exist.
