In the past, vulnerabilities in ISAPI filters caused significant IIS exploitation. There are no unneeded ISAPI filters after a clean IIS installation, although the .NET Framework installs the ASP.NET ISAPI filter (Aspnet_filter.dll), which is loaded into the IIS process address space (Inetinfo.exe) and is used to support cookie-less session state management.
If your applications do not need to support cookie-less session state and they do not set the cookieless attribute to true on the <sessionState> element, this filter can be removed.
During this step, you remove unused ISAPI filters.
Remove any unused ISAPI filters as explained in the following section.
Task To view ISAPI filters
To start IIS, select Internet Services Manager from the Administrative Tools programs group .
Right-click the machine (not Web site, because filters are machine wide), and then click Properties .
Click Edit .
Click the ISAPI Filters tab.
The tabbed page shown in Figure 16.5 is displayed:
Figure 16.5: Removing unused ISAPI filters