From 4bdf70d675708aae0500054b07576dbd7a1aca88 Mon Sep 17 00:00:00 2001 From: Steve Molloy Date: Tue, 13 May 2025 16:46:18 -0700 Subject: [PATCH 1/3] 'accessPolicy' is a little mis-represented. And definitely needs to call out that preventing execution does not necessarily prevent initialization. --- iis/configuration/system.webServer/handlers/add.md | 2 +- iis/configuration/system.webServer/handlers/index.md | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/iis/configuration/system.webServer/handlers/add.md b/iis/configuration/system.webServer/handlers/add.md index 32ae8170b..34f6e8b6e 100644 --- a/iis/configuration/system.webServer/handlers/add.md +++ b/iis/configuration/system.webServer/handlers/add.md @@ -107,7 +107,7 @@ The `` element of the `` collection is included in the default in | `name` | Required string attribute.

Specifies the unique name of the handler mapping. | | `path` | Required string attribute.

Specifies the file name or the file name extension for which the handler mapping applies. | | `preCondition` | Optional string attribute.

Specifies conditions under which the handler will run.

The **preCondition** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,).
Value Description
bitness32 Specify the bitness32 value when the handler is a 32-bit .dll file, and IIS should load the handler only for worker processes that run in WOW64 mode (32-bit simulation) on a 64-bit operating system.
bitness64 Specify the bitness64 value when the handler is a 64-bit .dll file, and IIS should load the handler only for worker processes that run in 64-bit mode.
integratedMode Specify the integratedMode value when the handler should respond only to requests in application pools that are configured to use the integrated request-processing pipeline.
ISAPIMode Specify the ISAPIMode value when the handler should respond only to requests in application pools that are configured to use Classic mode.
runtimeVersionv1.1 Specify the runtimeVersionv1.1 value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 1.1.
runtimeVersionv2.0 Specify the runtimeVersionv2.0 value when the handler should respond only to requests in application pools that are configured to use .NET Framework version 2.0.
| -| `requireAccess` | Optional enum attribute.

Specifies the type of access that a handler requires to the resource.

The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`.
Value Description
Execute Specifies that the handler requires rights to run executables.

The numeric value is 4.
None Specifies that the handler does not have access requirements.

The numeric value is 0.
Read Specifies that the handler requires read permissions.

The numeric value is 1.
Script Specifies that the handler requires rights to run scripts.

The numeric value is 3.
Write Specifies that the handler requires write permissions.

The numeric value is 2.
| +| `requireAccess` | Optional enum attribute.

Specifies the access level at which a handler will execute.

The **requireAccess** attribute can be one or more of the following possible values. If you specify more than one value, separate the values with a comma (,). The default value is `Script`.

**Note:** Even if a handler’s **requireAccess** value does not match the current `accessPolicy` level, it remains part of the configured set of handlers and may be initialized, although it will not be executed.
Value Description
Execute Specifies that the handler requires rights to run executables.

The numeric value is 4.
None Specifies that the handler does not have access requirements.

The numeric value is 0.
Read Specifies that the handler requires read permissions.

The numeric value is 1.
Script Specifies that the handler requires rights to run scripts.

The numeric value is 3.
Write Specifies that the handler requires write permissions.

The numeric value is 2.
| | `resourceType` | Optional string attribute.

Specifies the type of resource to which the handler mapping applies.

The **resourceType** attribute can be one of the following possible values. The default value is `Unspecified`.
Value Description
Directory Specifies that the handler mapping applies to requests only for physical folders on disk.

The numeric value is 1.
Either Specifies that the handler mapping applies to requests for physical files or folders on disk.

The numeric value is 2.
File Specifies that the handler mapping applies to requests only for physical files on disk.

The numeric value is 0.
Unspecified Specifies that the mapping type is not specified. The handler mapping applies to requests regardless of whether the request maps to a physical file or folder on disk. Use this setting when you map a handler to a file name or file name extension that does not exist on disk, such as MyHandler.axd.

The numeric value is 3.
| | `responseBufferLimit` | Optional uint attribute.

Specifies the maximum size, in bytes, of the response buffer for a request handler.

The default value is `4194304` bytes. | | `scriptProcessor` | Optional string attribute.

Specifies the physical path of the ISAPI extension .dll file or Common Gateway Interface (CGI) .exe file that processes the request.

The scriptProcessor attribute is required only for script map handler mappings. When you map a handler to an ISAPI extension, you must specify ISAPIModule for the modules attribute. When you map a handler to a CGI file, you must specify CGIModule for the modules attribute. | diff --git a/iis/configuration/system.webServer/handlers/index.md b/iis/configuration/system.webServer/handlers/index.md index 1bfc792a8..5df6ce138 100644 --- a/iis/configuration/system.webServer/handlers/index.md +++ b/iis/configuration/system.webServer/handlers/index.md @@ -110,7 +110,10 @@ You configure the `` element at the application level in the Web.confi | Attribute | Description | | --- | --- | -| `accessPolicy` | Optional flags attribute.

Specifies the allowed access types for the entire handlers collection.

The **accessPolicy** attribute can be one of the following possible values. The default is `Read`.
Value Description
Execute Enables handlers in the handlers collection that require execute rights in directories and files.
None Disables all handlers in the handlers collection that require access to directories or files.
NoRemoteExecute Prevents handlers in the handlers collection from running executables when a handler receives a remote request.
NoRemoteRead Prevents handlers in the handlers collection from reading files when a handler receives a remote request.
NoRemoteScript Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.
NoRemoteWrite Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.
Read Enables handlers in the handlers collection that require read access to directories and files.
Script Enables handlers in the handlers collection that require script rights to directories or files.
Source Enables handlers in the handlers collection that require read access to source code (together with the Read flag) or write access to source code (together with the Write flag).
Write Enables handlers in the handlers collection that require write access to directories and files.
| +| `accessPolicy` | Optional flags attribute.

Specifies what level of access types for the entire handlers collection.

The **accessPolicy** attribute can be one of the following possible values. The default is `Read`.
Value Description
Execute Enables handlers in the handlers collection that require execute rights in directories and files.
None Disables all handlers in the handlers collection that require access to directories or files.
NoRemoteExecute Prevents handlers in the handlers collection from running executables when a handler receives a remote request.
NoRemoteRead Prevents handlers in the handlers collection from reading files when a handler receives a remote request.
NoRemoteScript Prevents handlers in the handlers collection from running scripts when a handler receives a remote request.
NoRemoteWrite Prevents handlers in the handlers collection from creating or changing files when a handler receives a remote request.
Read Enables handlers in the handlers collection that require read access to directories and files.
Script Enables handlers in the handlers collection that require script rights to directories or files.
Source Enables handlers in the handlers collection that require read access to source code (together with the Read flag) or write access to source code (together with the Write flag).
Write Enables handlers in the handlers collection that require write access to directories and files.
| + +> [!NOTE] +> The `accessPolicy` attribute is not an enforceable security policy but rather a filtering mechanism that determines which handlers execute based on their `requiredAccess` attribute when configured. A filtered handler is still part of the configuration and may be initialized, even though it will not be selected to execute based on this attribute. ### Child Elements From 039fa71fbad222b166be6b9108fed22b639c52ea Mon Sep 17 00:00:00 2001 From: Wade Pickett Date: Mon, 19 May 2025 08:05:36 -0700 Subject: [PATCH 2/3] Update add.md Updated ms.date --- iis/configuration/system.webServer/handlers/add.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iis/configuration/system.webServer/handlers/add.md b/iis/configuration/system.webServer/handlers/add.md index 34f6e8b6e..c4a7ef17c 100644 --- a/iis/configuration/system.webServer/handlers/add.md +++ b/iis/configuration/system.webServer/handlers/add.md @@ -2,7 +2,7 @@ title: "Adding Handlers <add>" author: rick-anderson description: "Overview The <add> element of the <handlers> collection adds a handler to the list of HTTP handlers for Internet Information Services (IIS) 7. Co..." -ms.date: 09/26/2016 +ms.date: 05/19/2025 ms.assetid: 07a497b0-1558-4731-b5db-b9a2a80ea7d5 msc.legacyurl: /configreference/system.webserver/handlers/add msc.type: config From 61c81a5c7b39e9e42b75cb3331997282e189f079 Mon Sep 17 00:00:00 2001 From: Wade Pickett Date: Mon, 19 May 2025 08:06:23 -0700 Subject: [PATCH 3/3] Update index.md --- iis/configuration/system.webServer/handlers/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iis/configuration/system.webServer/handlers/index.md b/iis/configuration/system.webServer/handlers/index.md index 5df6ce138..5f3888ef7 100644 --- a/iis/configuration/system.webServer/handlers/index.md +++ b/iis/configuration/system.webServer/handlers/index.md @@ -2,7 +2,7 @@ title: "Handlers <handlers>" author: rick-anderson description: "Overview The <handlers> element defines the handlers registered for a specific file name extension or URL. Handlers are Internet Information Services (..." -ms.date: 09/26/2016 +ms.date: 05/19/2026 ms.assetid: df3cf46c-9d26-4e69-98e9-f2b4dcd2cbfc msc.legacyurl: /configreference/system.webserver/handlers msc.type: config