Forbidden Resources

Map Protected Resources to HttpForbiddenHandler

HTTP handlers are located in Machine.config beneath the <httpHandlers> element. HTTP handlers are responsible for processing Web requests for specific file extensions. Remoting should not be enabled on front-end Web servers; enable Remoting only on middle- tier application servers that are isolated from the Internet.

• The following file extensions are mapped in Machine.config to HTTP handlers:

• .aspx is used for ASP.NET pages.

• .rem and .soap are used for Remoting.

• .asmx is used for Web Services.

• .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp, .licx, .resx, and .resources are protected resources and are mapped to System.Web.HttpForbiddenHandler .

For .NET Framework resources, if you do not use a file extension, then map the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown in the following example:

 <add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" /> 

In this case, the .vbproj file extension is mapped to System.Web.HttpForbiddenHandler . If a client requests a path that ends with .vbproj, then ASP.NET returns a message that states "This type of page is not served ."

The following guidelines apply to handling .NET Framework file extensions:

• Map extensions you do not use to HttpForbiddenHandler . If you do not serve ASP.NET pages, then map .aspx to HttpForbiddenHandler . If you do not use Web Services, then map .asmx to HttpForbiddenHandler .

• Disable Remoting on Internet- facing Web servers . Map remoting extensions (.soap and .rem) on Internet-facing Web servers to HttpForbiddenHandler .