ISAPI/CGI Restrictions <isapiCgiRestriction>


The <isapiCgiRestriction> element of the <security> element allows you to specify a list of Common Gateway Interface (CGI) and Internet Server Application Programming Interface (ISAPI) applications that can run on Internet Information Services (IIS) 7. This element allows you to ensure that malicious users cannot copy unauthorized CGI and ISAPI binaries to your Web server and then run them.

You need to use this element to configure your Web server only when a site or application uses an application pool that runs in Classic mode. The restrictions you configure in the <isapiCgiRestriction> element apply to only ISAPI and CGI code.

The <isapiCgiRestriction> element contains a collection of <add> elements. Each <add> element defines a distinct binary that cannot run on an IIS 7 server in Classic mode.

For example, if you created an ASP.NET 2.0 application and configured the application to use an application pool that runs in Classic mode, any requests for the ASP.NET application must go through the aspnet_isapi.dll to be processed. To make sure that IIS processes the ASP.NET requests, IIS populates the <isapiCgiRestriction> element with an <add> element that contains an allowed attribute with its value set to true.

If you changed the allowed attribute to false and left the application pool in Classic mode, ASP.NET requests would fail. However, if you changed the application pool to Integrated mode, IIS processes the ASP.NET requests using the integrated request pipeline, which bypasses the ISAPI and CGI restriction you configured.

The <isapiCgiRestriction> element works in tandem with the <applicationDependencies> element to define which applications have dependencies on one or more CGI or ISAPI extension restrictions.


Version Notes
IIS 7.5 The <isapiCgiRestriction> element was not modified in IIS 7.5.
IIS 7.0 The <isapiCgiRestriction> element was introduced in IIS 7.0.
IIS 6.0 The <isapiCgiRestriction> collection replaces the WebSvcExtRestrictionList property of the IIS 6.0 IIsWebService metabase object.


The <isapiCgiRestriction> collection is available only after you install the CGI or ISAPI Extensions modules on your IIS 7 server. You cannot install it independent of those features.

Windows Server 2008 or Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select CGI or ISAPI Extensions.

  5. If the Add role services dialog appears, click Add Required Role Services. (This page appears only if you have not already installed any prerequisite role services on your server.)
  6. On the Select Role Services page, click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

Windows Vista or Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. In the Windows Features dialog box, expand Internet Information Services, then World Wide Web Services, then Application Development Features.
  4. Select CGI or ISAPI Extensions, and then click OK.

How To

How to add an ISAPI or CGI restriction

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the server name.
  3. In the Home pane, double-click ISAPI and CGI Restrictions.

  4. In the Actions pane, click Add...
  5. In the Add ISAPI or CGI Restriction dialog box, type the path to the binary you want to add in the ISAPI or CGI path box, type the description of the binary in the Description box, select the Allow extension path option to execute check box to allow the binary to run on the server, and then click OK.


The <isapiCgiRestriction> collection can only be configured at the server level in the ApplicationHost.config file.


Attribute Description
notListedIsapisAllowed Optional Boolean attribute.

Specifies whether unlisted ISAPI modules are allowed to run on this server.

The default value is false.
notListedCgisAllowed Optional Boolean attribute.

Specifies whether unlisted CGI programs are allowed to run on this server.

The default value is false.

Child Elements

Element Description
add Optional element.

Adds a restriction to the collection of ISAPI and CGI restrictions.
remove Optional element.

Removes a reference to a restriction from the isapiCgiRestriction collection.
clear Optional element.

Removes all references to restrictions from the isapiCgiRestriction collection.

Configuration Sample

The following configuration example is the <isapiCgiRestriction> element configuration for IIS 7.0 after you install ASP and ASP.NET version 2.0.

      <add allowed="true" groupId="ASP"
         description="Active Server Pages" />
      <add allowed="true" groupId="ASP.NET v2.0.50727"
         description="ASP.NET v2.0.50727" />

Sample Code

The following examples add an ISAPI/CGI restriction for a custom ISAPI extension that is located in the content folder for a Web site that is located in C:\Inetpub\\wwwroot. The examples specify the name, path, and group of the ISAPI extension, and enable the extension.


appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /+"[path='C:\Inetpub\\wwwroot\isapi\custom.dll',allowed='True',groupId='ContosoGroup',description='Contoso Extension']" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
   private static void Main()
      using (ServerManager serverManager = new ServerManager())
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection isapiCgiRestrictionSection = config.GetSection("system.webServer/security/isapiCgiRestriction");
         ConfigurationElementCollection isapiCgiRestrictionCollection = isapiCgiRestrictionSection.GetCollection();

         ConfigurationElement addElement = isapiCgiRestrictionCollection.CreateElement("add");
         addElement["path"] = @"C:\Inetpub\\wwwroot\isapi\custom.dll";
         addElement["allowed"] = true;
         addElement["groupId"] = @"ContosoGroup";
         addElement["description"] = @"Contoso Extension";



Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim isapiCgiRestrictionSection As ConfigurationSection = config.GetSection("system.webServer/security/isapiCgiRestriction")
      Dim isapiCgiRestrictionCollection As ConfigurationElementCollection = isapiCgiRestrictionSection.GetCollection

      Dim addElement As ConfigurationElement = isapiCgiRestrictionCollection.CreateElement("add")
      addElement("path") = "C:\Inetpub\\wwwroot\isapi\custom.dll"
      addElement("allowed") = True
      addElement("groupId") = "ContosoGroup"
      addElement("description") = "Contoso Extension"

   End Sub
End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var isapiCgiRestrictionSection = adminManager.GetAdminSection("system.webServer/security/isapiCgiRestriction", "MACHINE/WEBROOT/APPHOST");
var isapiCgiRestrictionCollection = isapiCgiRestrictionSection.Collection;

var addElement = isapiCgiRestrictionCollection.CreateNewElement("add");
addElement.Properties.Item("path").Value = "C:\\Inetpub\\\\wwwroot\\isapi\\custom.dll";
addElement.Properties.Item("allowed").Value = true;
addElement.Properties.Item("groupId").Value = "ContosoGroup";
addElement.Properties.Item("description").Value = "Contoso Extension";



Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set isapiCgiRestrictionSection = adminManager.GetAdminSection("system.webServer/security/isapiCgiRestriction", "MACHINE/WEBROOT/APPHOST")
Set isapiCgiRestrictionCollection = isapiCgiRestrictionSection.Collection

Set addElement = isapiCgiRestrictionCollection.CreateNewElement("add")
addElement.Properties.Item("path").Value = "C:\Inetpub\\wwwroot\isapi\custom.dll"
addElement.Properties.Item("allowed").Value = True
addElement.Properties.Item("groupId").Value = "ContosoGroup"
addElement.Properties.Item("description").Value = "Contoso Extension"

Deprecated Elements