how to remove unnecessery handler mappings from Sharepoint 2010 web application for security purpose

This article explains how to restrict or remove unnecessary handler mappings for  Microsoft SharePoint Foundation web application in the Integrated Request Pipeline of Internet Information Services (IIS) .

As you know Sharepoint has modifed the pipeline for more information about Why Sharepoint modifing the request pipeline please read this topic :

For a general web application you can modify pipleline using:

  • Pipeline Changes at the ASP.NET Framework Level: Sharepoint  does not change any thing for this level that mean sharepoint makes no changes to the machine.config file or the global web.config file.
  • Pipeline Changes at the IIS Configuration Level : The modifications on applicationhost.config file.This file is located in the %WinDir%\System32\inetsrv\config\ directory and it contains registrations of the IIS Web sites and application pools on the server, as well as some settings that apply to all Web applications on the Web server. The settings in applicationhost.config are primarily oriented to the parts of the pipeline that are contributed by IIS, whereas the machine.config and the global web.config files contain settings that are primarily oriented to the parts of the integrated request pipeline that are contributed by ASP.NET.
  • Pipeline Changes at the SharePoint Web Application Level: The modifications on web.config files.
  • Pipeline Changes at the Directory Level : The modifications on directory levels still using web.config files.Particular physical or virtual directories in an IIS Web site can also have their own web.config file to add new settings or override inherited settings. The new settings and overrides, of course, apply only to HTTP requests for resources located within the directory and its subdirectories.

Important ! :In this article scope of “Pipeline Changes at the IIS Configuration Level” so get backup your applicationhost.config file before do anything in %WinDir%\System32\inetsrv\config\

Bellowed configuration is for standart sharepoint web application so if you have some custom codes that need extra handler please add needed handlers to list.

For removing handler mappings

1) open your IIS console.
2) select your Sharepoint Web Application
3) Click Handler Mappings.

And Remove unneceserry handler mappings by selecting and clicking remove button on iis console.

 The handlers in  picture below are the needed ones so don’t delete them.

So sharepoint is not use any .net framework 4.0 components and the other iis default isapi extentions.
Always make a test that your site is working correctly. For testing use these starting points:

  • Test Pages
  • Test System Pages
  • Test File Upload
  • Test Search
  • Test Sharepoint Designer Connection
  • Add your custom test items.

see you next articles.


What Is the Difference Between an ISAPI Server Extension and a Filter?

ISAPI Extentions
Runs when referenced in a URL. 
Is explicitly invoked, for example by http://myserver/myprog.dll?. 
Is loaded on demand, the first time a user calls it. 

ISAPI Filters
Is called for every URL the server processes.
Runs automatically for any URL sent to the server if the registered event occurs.
Is loaded when the service starts because of its registry entry.
Both server extensions and filters:

Share the process space of the service.
Must be thread safe.
Once loaded, remain in memory (until the service is stopped or the memory is needed by another process).

If you want to use custom ISAPI filter/extention you gonna write unmanaged code somehow. If its hard to code in more basic in IIS with c++,  you can use managed code  using c#,vb also IIS supports with .net framework and have similar structures at upper level (i mean using aspnet_isapi.dll) and you figure out that  ISAPI Filters are much like HttpModules and ISAPI Extentions are very like HttpHandlers .

See Also