13

Where can I get a list of what all of the default IIS HTTP handlers do? I need documentation!! I have read a few blogs which recommend removing dozens of unused HTTP handlers for performance and security reasons.

E.g. Removing the TraceHandler-Integrated and TraceHandler-Integrated-4.0 is recommended because otherwise navigating to /trace.axd causes a 500 Internal Server Error instead of a 404 Not Found and you should not have tracing on, in a production environment.

Some of the HTTP handlers that a GitHub project (Now Deleted) recommends removing a huge list manually:

<system.webServer>
  <handlers>
    <remove name="TraceHandler-Integrated-4.0" />
    <remove name="TraceHandler-Integrated" />
    <remove name="AssemblyResourceLoader-Integrated-4.0" />
    <remove name="AssemblyResourceLoader-Integrated" />
    <remove name="WebAdminHandler-Integrated-4.0" />
    <remove name="WebAdminHandler-Integrated" />
    <remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0-64" />
    <remove name="svc-ISAPI-4.0_32bit" />
    <remove name="ScriptHandlerFactoryAppServices-Integrated-4.0" />
    <remove name="ScriptResourceIntegrated-4.0" />
    <remove name="svc-ISAPI-4.0_64bit" />
    <remove name="svc-Integrated-4.0" />
    <remove name="vbhtm-ISAPI-4.0_32bit" />
    <remove name="vbhtm-ISAPI-4.0_64bit" />
    <remove name="vbhtm-Integrated-4.0" />
    <remove name="vbhtml-ISAPI-4.0_32bit" />
    <remove name="vbhtml-ISAPI-4.0_64bit" />
    <remove name="vbhtml-Integrated-4.0" />
    <remove name="xamlx-ISAPI-4.0_32bit" />
    <remove name="xamlx-ISAPI-4.0_64bit" />
    <remove name="xamlx-Integrated-4.0" />
    <remove name="xoml-ISAPI-4.0_32bit" />
    <remove name="xoml-ISAPI-4.0_64bit" />
    <remove name="xoml-Integrated-4.0" />
    <remove name="HttpRemotingHandlerFactory-rem-Integrated-4.0" />
    <remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0" />
    <remove name="rules-ISAPI-4.0_32bit" />
    <remove name="rules-Integrated-4.0" />
    <remove name="HttpRemotingHandlerFactory-soap-Integrated" />
    <remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0" />
    <remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit" />
    <remove name="HttpRemotingHandlerFactory-soap-Integrated-4.0" />
    <remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit" />
    <remove name="rules-ISAPI-4.0_64bit" />
    <remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0-64" />
    <remove name="HttpRemotingHandlerFactory-rem-Integrated" />
    <remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit" />
    <remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit" />
    <remove name="AXD-ISAPI-2.0-64" />
    <remove name="cshtml-ISAPI-4.0_64bit" />
    <remove name="cshtml-Integrated-4.0" />
    <remove name="cshtm-Integrated-4.0" />
    <remove name="cshtml-ISAPI-4.0_32bit" />
    <remove name="cshtm-ISAPI-4.0_64bit" />
    <remove name="cshtm-ISAPI-4.0_32bit" />
    <remove name="AXD-ISAPI-4.0_64bit" />
    <remove name="AXD-ISAPI-2.0" />
    <remove name="AXD-ISAPI-4.0_32bit" />
    <remove name="PageHandlerFactory-ISAPI-2.0-64" />
    <remove name="PageHandlerFactory-ISAPI-2.0" />
    <remove name="PageHandlerFactory-ISAPI-4.0_64bit" />
    <remove name="PageHandlerFactory-ISAPI-4.0_32bit" />
    <remove name="aspq-ISAPI-4.0_64bit" />
    <remove name="aspq-Integrated-4.0" />
    <remove name="WebServiceHandlerFactory-ISAPI-2.0" />
    <remove name="aspq-ISAPI-4.0_32bit" />
    <remove name="WebServiceHandlerFactory-Integrated-4.0" />
    <remove name="WebServiceHandlerFactory-Integrated" />
    <remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
    <remove name="SimpleHandlerFactory-Integrated-4.0" />
    <remove name="SimpleHandlerFactory-Integrated" />
    <remove name="SimpleHandlerFactory-ISAPI-2.0" />
    <remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
    <remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
    <remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
    <remove name="WebServiceHandlerFactory-ISAPI-2.0-64" />
    <remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
    <remove name="ISAPI-dll" />
    <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
    <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
    <remove name="OPTIONSVerbHandler" />
    <remove name="TRACEVerbHandler" />
  </handlers>
</system.webServer>
user2864740
  • 60,010
  • 15
  • 145
  • 220
Muhammad Rehan Saeed
  • 35,627
  • 39
  • 202
  • 311
  • 1
    It seems there is no full documentation about all the handlers out there (yet). I suggest not removing all the handlers above, that may open up more security holes than it fixes. You really want to understand what each handler does and whether you need it. – Peter Hahndorf Mar 14 '15 at 16:13
  • ***`https://github.com/pingfu/notes/blob/master/Security%20-%20IIS%20-%20Hardening%20the%20web.config.md`*** **not found** – Kiquenet Nov 12 '15 at 08:50
  • @Kiquenet Unfortunately, the author deleted the project. – Muhammad Rehan Saeed Nov 12 '15 at 09:10
  • Boy, that anonymous Github project sure sounds like a good authority to give me advice on what to remove. – marknuzz May 30 '20 at 08:00
  • The recommended list to remove shows a general lack of understanding in difference between *accepting* and *rejecting* handlers which has been repeated in the answers. This leads to leads to potential security vulnerabilities in the case of potentially allowing `.cshtml` files to be downloaded (note that `ExtensionlessUrlHandler-Integrated-4.0` was NOT removed). *Rejecting* handlers should not be removed without a suitable placement, such as a requestFiltering addition. – user2864740 Sep 30 '20 at 21:38

3 Answers3

27

If you really want a minimal set of handler mappings, I suggest you start clean, in your web.config remove all handlers and just use the StaticFile one:

<system.webServer>
    <handlers>
        <clear />
         <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
    </handlers>
</system.webServer>

Now add all the handlers you need back in, just for the bitness and mode you're running in.

For a basic MVC project it may be enough to add

  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />

What do all the handlers do?

I couldn't find any documentation either, so here's my attempt:

The handler mappings are defined in %SystemRoot%\System32\inetsrv\config\applicationHost.config - system.webServer/handlers

In my case there were 87 mappings.

50 of them are modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll" for ASP.NET. These cover all the various asp.net extentions and may exist for CLR versions 2.0 and 4.0 and for 32bit and 64bit. Most of them are for Classic Mode.

They usually handle the following extensions: 

 *.       = ExtensionlessUrlHandler-ISAPI
 *.ashx   = SimpleHandlerFactory-ISAPI
 *.asmx   = WebServiceHandlerFactory-ISAPI
 *.aspq   = aspq-ISAPI
 *.aspx   = PageHandlerFactory
 *.axd    = AXD-ISAPI
 *.cshtm  = cshtm-ISAPI
 *.cshtml = cshtml-ISAPI
 *.rem    = HttpRemotingHandlerFactory-rem-ISAPI
 *.rules  = rules-ISAPI
 *.soap   = HttpRemotingHandlerFactory-soap
 *.svc    = svc-ISAPI
 *.vbhtm  = vbhtm-ISAPI
 *.vbhtml = vbhtml-ISAPI
 *.xamlx  = xamlx-ISAPI
 *.xoml   = xoml-ISAPI

If your project doesn't use certain extensions, you may remove these handlers.

Most handler mappings have a preCondition like apply in 32bit ApplicationPools, or when in Classic Mode. If you only ever run 64Big integrated mode, you can remove all classic mode and 32bit handler mappings.

If we look at *.cshtml for a Razor view file, you will find three mappings, two for ClassicMode in 32/64 bit which point to the ASP.NET ISAPI modules, but the third applies only in integrated mode and maps to HttpForbiddenHandler, because the MVC routing works differently in Integrated Mode and you never want to allow access to view files directly.

There may be IsapiModules for classic asp or CGI, like the ASP.NET mapping there are there to handle the requests for files with certain extensions.

The second biggest group are the type="System. handlers, lets look at them:

System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory

Handles *.rem and *.soap files in integrated mode. Can be removed if you are not using remoting.

System.ServiceModel.Activation.HttpHandler, System.ServiceModel.Activation

Handles certain WCF requests with *.rules,*.xoml,*.svc extensions.

System.Web.Handlers.AssemblyResourceLoader

Handles WebResource.axd requests, these may be used in WebForms, but usually not in MVC projects.

System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions

For handling ScriptResource.axd which provides JavaScript and CSS resources in WebForms.

System.Web.Handlers.TraceHandler

Handler for trace.axd to display ASP.NET trace information. On a production site, you want to remove this handler.

System.Web.Handlers.TransferRequestHandler

Used to handle extensionless requests in integrated mode. This forwards the request to the routing engine to decide how to handle these requests. More Info

System.Web.Handlers.WebAdminHandler

Handles WebAdmin.axd to display the ASP.NET Website Administration Toolkit, you can remove this if you don't use that builtin feature.

System.Web.HttpForbiddenHandler

Allows us to prevent access to any files with certain extensions. However it returns a 500 HTTP status and actually throws a System.Web.HttpException exception on the server. In my opinion there are better ways to blog certain extensions such as IIS Request Filtering.

System.Web.HttpMethodNotAllowedHandler

I think this one is no longer used in modern IIS, it returns a 405 HTTP status and also throws and HttpException

System.Web.HttpNotFoundHandler

Also, not longer in my current configuration. It throws a 404 HTTP exception.

System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions

Handles *.asmx and *_AppService.axd to support Web service calls via Ajax.

System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services

Also handles *.asmx web service requests in integrated mode for DOT.NET 2

System.Web.StaticFileHandler

Returns a static file, no longer used?

System.Web.UI.PageHandlerFactory

Handles ASP.NET WebForm pages .aspx in integrated mode.

System.Web.UI.SimpleHandlerFactory

Handles ASP.NET custom handlers .ashx in integrated mode.

System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting

Handles Windows Workflow Foundation services .xamlx in integrated mode.

more handlers:

modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"

This is usually the very last mapping to handle any requests that has not been handled by any of the previous handles path="*" verb="*". It actually uses three different modules. The StaticFileMode one looks for a physical file matching the requested URL, if not found, the DefaultDocumentModule looks for a default document in the same folder as the requested URL and if that is also not found, the DirectoryListingModule may display the content of the directory if enabled.

modules="ProtocolSupportModule"

This handles all requests for the HTTP verbs TRACE and OPTIONS, if you remove this mapping, all trace and options request will return a "405 Method not allowed"

Cᴏʀʏ
  • 105,112
  • 20
  • 162
  • 194
Peter Hahndorf
  • 10,767
  • 4
  • 42
  • 58
  • 2
    I can't believe there is no documentation from Microsoft about this subject. They are usually pretty good with documentation. Sadly, it looks like this is the best answer we are going to get for now. – Muhammad Rehan Saeed Apr 08 '15 at 10:01
  • "For a basic MVC project it may be enough to add.." yes, and now you've gone and granted access to ".cshtml" files without further work to restrict access.. **The .cshtml handlers are to block access, not provide it.** – user2864740 Sep 30 '20 at 21:28
0

Answer to this:

Where can I get a list of that all of the default IIS HTTP handlers do?

Open IIS, CMD-->inetmgr, then click handler mappings, see below screenshot.

enter image description here

Click that, it will show you all default enabled HTTP handlers for that web server.

enter image description here

Note: When you select a virtual directory and then do this process, i.e. click handler mappings, and remove one of mapping, it will add that line in web.config.

E.g. I have removed aspq-ISAPI-4.0_64bit, so it has changed web.config for that virtual directory, i.e. it has added following line to web.config.

<remove name="aspq-ISAPI-4.0_64bit" /> under system.webServer\handlers.

Update : This handlers are invoked when particular file type request come, until then it sits idle. So there won't be any performance issue for these handlers.

Example, that you have removing handler for *.axd will improve security, my answer to this, some DLL might need those files for rendering js and css, and if you remove that, it will not work. E.g. - HTTP Handler cannot find axd file in nested web application folder: Telerik RadScriptManager cannot find WebResource.axd in ~/admin/ folder

user2864740
  • 60,010
  • 15
  • 145
  • 220
Arindam Nayak
  • 7,346
  • 4
  • 32
  • 48
  • This tells me where I can get a list of them but not what the purpose of each of these HTTP handlers is. – Muhammad Rehan Saeed Mar 12 '15 at 16:56
  • I think you have asked that question only, I have tried my best to answer that, but I can answer the one you asked - purpose of each handler to handle that request for that particular file type. – Arindam Nayak Mar 12 '15 at 17:11
0

I'm running in the same question last week and after a lot of research, I think that I found something similar in GitHub:

List of "insecure handlers": https://gist.github.com/marcbarry/47644b4a43fbfb63ef54

Someone
  • 1
  • 1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/32277559) – Jan Jul 23 '22 at 19:57