[thelist] Removing/Disabling ASP WAS Re: ASP on IIS6 (WAS something else very long)

[Ken Schaefer]

After that very long thread...something that may be of assistance.

If you want to prevent ASP files from being run on your IIS box then the 
recommendation is to disable the ASP Web Service Extension (WSE) in the IIS 
Manager. If any one does request an ASP document, they will get a 404 error 
(either because there is no ASP file -or- because the lockdown policy 
prevents this extension being served, check the logged HTTP substatus for 
details)

If you want to take this a step further, you can edit the metabase (where 
WSE, their dependencies and file extensions are stored). This will 
completely remove ASP as an ISAPI Extension (as far as IIS is concerned). No 
ASP files will ever be executed (though, if your developer sticks an ASP 
file on the server, it'll just be served, verbatim, like any other 
non-dynamic document to the client. To prevent this ever happening, you can 
use URLScan to block all requests for ASP files.

Lastly, if really want to take things a step further, remove asp.dll from 
your server (though I'm pretty sure this is taking you into the 
"unsupported" area).

All of these steps are relatively easy to reverse - but no one other than an 
administrator (and in the case of the last step, who also can get a new copy 
of asp.dll onto the server) is going to be able to reverse them.

Cheers
Ken


----- Original Message ----- 
From: "Ken Schaefer" <ken.schaefer at gmail.com>
Subject: Re: ASP on IIS6 (opposite question;was RE: [thelist] ASP.NET on IIS 
5?)


: On Thu, 23 Sep 2004 21:17:32 -0700, Shane Miller
: <smiller at callcenters24x7.com> wrote:
: > To reiterate --- it was nothing obvious.
: >
: > I had performed everything indicated in 812614, and several other 
articles.
: > I'm not a neophyte.

<snipped>