IIS7 steps to set execution permissions for read script and executable files

For IIS servers, access policies can be set by configuring functional permissions that specify the types of permissions that all Web servers, sites, applications, directories, or file level handlers in IIS can have. The functional permissions that can be enabled or disabled in the access policy include read, script, and execute. Whether a handler runs is determined by the access policy and the access Settings required by the handler. If a handler needs a functional permission type that is not enabled in the access policy, the handler is disabled and all requests handled by the handler (according to the handler mapping) will fail unless the request can be handled by another handler. In IIS 5 and IIS 6, you can configure the site's permissions to read, write, script resource access, directory browsing, log access, pure scripts, scripts, and executables by configuring the site's properties. The specific circumstances of these permissions are as follows:

Read: Users can view file contents and properties.

Write: Users can change file contents and properties.

Script resource access: The user can access the source code of the file, such as the script for script resource access in Active Server Pages (ASP) application. This option can only be used if read or write permissions are assigned. Users can access source files. If read permission is assigned, the source code can be read. If write permission is assigned, the source code can also be written.

Directory browsing: Users can view lists and collections of files.

Log visits: Create 1 log item for each site visit. The record access index resource allows the index service to index the resource.

Pure-script: Pure-script setting the permissions of the application to "pure-script" enables applications mapped to the script engine to run in this directory without having the permissions set for the executable. Setting permissions to "pure scripts" is safer than setting them to "scripts and executables" because you can limit the applications that can run in that directory.

Scripts and executables: Set the permissions of the application to "Scripts and Executables" to allow the application to run in this script and executable directory, including applications mapped to the script engine and Windows 2 base files (.dll and.exe files).

However, in IIS 7, we found that we could not find the corresponding option. In fact, it did not disappear. The configuration method is as follows:

1. Open IIS manager and navigate to the level you want to manage;

2. On the "server Home Page", "site Home Page" or "application Home page" of the "Feature View", double-click "Handler Map";

3. On the Action page, click Edit Function Permission;

4. In the "Edit Function Permission" dialog box, perform the following actions:

Select Read to enable handlers that require read access to virtual directories, and clear Read to disable handlers that require read access to virtual directories.

Select Scripts to enable handlers that need to have script permissions on the virtual directory, and clear Scripts to disable handlers that need to have script permissions on the virtual directory.

Select Execute to enable handlers that need to have execute permissions on the virtual directory, and clear Execute to disable handlers that need to have execute permissions on the virtual directory. The Execute option is enabled only if the Script is checked.

5. Click OK

In addition, we can also configure permissions through the command line. The syntax is as follows:

appcmd set config /section:handlers /accessPolicy: NoRemoteScript|NoRemoteExecute|NoRemoteRead|NoRemoteWrite|Script|Source|Execute|Write|Read|None

We can specify one or more of these options for the accessPolicy attribute, or None. If more than one value is specified, separate each value with a comma (,). For example, to enable a handler that requires Read or Script permissions, type the following command at the command prompt, and then press Enter:

appcmd set config /section:handlers /accessPolicy:Read,Script