{
	"id": "6b5ce19e-8502-45e5-98b6-bd52a0fa006d",
	"created_at": "2026-04-06T00:14:44.186468Z",
	"updated_at": "2026-04-10T13:11:22.734537Z",
	"deleted_at": null,
	"sha1_hash": "f30144276b24997aac42e92c6f4af9090b73c796",
	"title": "ISAPI/CGI Restrictions \u003cisapiCgiRestriction\u003e",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 218116,
	"plain_text": "ISAPI/CGI Restrictions \u003cisapiCgiRestriction\u003e\r\nBy Rick-Anderson\r\nArchived: 2026-04-05 12:55:32 UTC\r\nOverview\r\nThe \u003cisapiCgiRestriction\u003e element of the \u003csecurity\u003e element allows you to specify a list of Common Gateway\r\nInterface (CGI) and Internet Server Application Programming Interface (ISAPI) applications that can run on\r\nInternet Information Services (IIS) 7. This element allows you to ensure that malicious users cannot copy\r\nunauthorized CGI and ISAPI binaries to your Web server and then run them.\r\nYou need to use this element to configure your Web server only when a site or application uses an application pool\r\nthat runs in Classic mode. The restrictions you configure in the \u003cisapiCgiRestriction\u003e element apply to only\r\nISAPI and CGI code.\r\nThe \u003cisapiCgiRestriction\u003e element contains a collection of \u003cadd\u003e elements. Each \u003cadd\u003e element defines a\r\ndistinct binary that cannot run on an IIS 7 server in Classic mode.\r\nFor example, if you created an ASP.NET 2.0 application and configured the application to use an application pool\r\nthat runs in Classic mode, any requests for the ASP.NET application must go through the aspnet_isapi.dll to be\r\nprocessed. To make sure that IIS processes the ASP.NET requests, IIS populates the \u003cisapiCgiRestriction\u003e\r\nelement with an \u003cadd\u003e element that contains an allowed attribute with its value set to true.\r\nIf you changed the allowed attribute to false and left the application pool in Classic mode, ASP.NET requests\r\nwould fail. However, if you changed the application pool to Integrated mode, IIS processes the ASP.NET requests\r\nusing the integrated request pipeline, which bypasses the ISAPI and CGI restriction you configured.\r\nThe \u003cisapiCgiRestriction\u003e element works in tandem with the \u003capplicationDependencies\u003e element to define\r\nwhich applications have dependencies on one or more CGI or ISAPI extension restrictions.\r\nCompatibility\r\nVersion Notes\r\nIIS 10.0 The \u003cisapiCgiRestriction\u003e element was not modified in IIS 10.0.\r\nIIS 8.5 The \u003cisapiCgiRestriction\u003e element was not modified in IIS 8.5.\r\nIIS 8.0 The \u003cisapiCgiRestriction\u003e element was not modified in IIS 8.0.\r\nIIS 7.5 The \u003cisapiCgiRestriction\u003e element was not modified in IIS 7.5.\r\nIIS 7.0 The \u003cisapiCgiRestriction\u003e element was introduced in IIS 7.0.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 1 of 10\n\nVersion Notes\r\nIIS 6.0\r\nThe \u003cisapiCgiRestriction\u003e collection replaces the WebSvcExtRestrictionList property of the\r\nIIS 6.0 IIsWebService metabase object.\r\nSetup\r\nThe \u003cisapiCgiRestriction\u003e collection is available only after you install the CGI or ISAPI Extensions modules\r\non your IIS 7 and later server. You cannot install it independent of those features.\r\nWindows Server 2012 or Windows Server 2012 R2\r\n1. On the taskbar, click Server Manager.\r\n2. In Server Manager, click the Manage menu, and then click Add Roles and Features.\r\n3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the\r\ndestination server and click Next.\r\n4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Application\r\nDeelopment, and then select CGI or ISAPI Extensions. Click Next.\r\n .\r\n5. On the Select features page, click Next.\r\n6. On the Confirm installation selections page, click Install.\r\n7. On the Results page, click Close.\r\nWindows 8 or Windows 8.1\r\n1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and\r\nthen click Control Panel.\r\n2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 2 of 10\n\n3. Expand Internet Information Services, expand World Wide Web Services, expand Application\r\nDevelopment Features, and then select CGI or ISAPI Extensions.\r\n4. Click OK.\r\n5. Click Close.\r\nWindows Server 2008 or Windows Server 2008 R2\r\n1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.\r\n2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).\r\n3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 3 of 10\n\n4. On the Select Role Services page of the Add Role Services Wizard, select CGI or ISAPI Extensions.\r\n5. If the Add role services dialog appears, click Add Required Role Services. (This page appears only if\r\nyou have not already installed any prerequisite role services on your server.)\r\n6. On the Select Role Services page, click Next.\r\n7. On the Confirm Installation Selections page, click Install.\r\n8. On the Results page, click Close.\r\nWindows Vista or Windows 7\r\n1. On the taskbar, click Start, and then click Control Panel.\r\n2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.\r\n3. In the Windows Features dialog box, expand Internet Information Services, then World Wide Web\r\nServices, then Application Development Features.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 4 of 10\n\n4. Select CGI or ISAPI Extensions, and then click OK.\r\nHow To\r\nHow to add an ISAPI or CGI restriction\r\n1. Open Internet Information Services (IIS) Manager:\r\nIf you are using Windows Server 2012 or Windows Server 2012 R2:\r\nOn the taskbar, click Server Manager, click Tools, and then click Internet Information\r\nServices (IIS) Manager.\r\nIf you are using Windows 8 or Windows 8.1:\r\nHold down the Windows key, press the letter X, and then click Control Panel.\r\nClick Administrative Tools, and then double-click Internet Information Services (IIS)\r\nManager.\r\nIf you are using Windows Server 2008 or Windows Server 2008 R2:\r\nOn the taskbar, click Start, point to Administrative Tools, and then click Internet\r\nInformation Services (IIS) Manager.\r\nIf you are using Windows Vista or Windows 7:\r\nOn the taskbar, click Start, and then click Control Panel.\r\nDouble-click Administrative Tools, and then double-click Internet Information Services\r\n(IIS) Manager.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 5 of 10\n\n2. In the Connections pane, click the server name.\r\n3. In the Home pane, double-click ISAPI and CGI Restrictions.\r\n4. In the Actions pane, click Add...\r\n5. In the Add ISAPI or CGI Restriction dialog box, type the path to the binary you want to add in the\r\nISAPI or CGI path box, type the description of the binary in the Description box, select the Allow\r\nextension path option to execute check box to allow the binary to run on the server, and then click OK.\r\nConfiguration\r\nThe \u003cisapiCgiRestriction\u003e collection can only be configured at the server level in the ApplicationHost.config\r\nfile.\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 6 of 10\n\nAttributes\nAttribute Description\nnotListedIsapisAllowed\nOptional Boolean attribute.\nSpecifies whether unlisted ISAPI modules are allowed to run on this server.\nThe default value is false .\nnotListedCgisAllowed\nOptional Boolean attribute.\nSpecifies whether unlisted CGI programs are allowed to run on this server.\nThe default value is false .\nChild Elements\nElement Description\nadd\nOptional element.\nAdds a restriction to the collection of ISAPI and CGI restrictions.\nremove\nOptional element.\nRemoves a reference to a restriction from the isapiCgiRestriction collection.\nclear\nOptional element.\nRemoves all references to restrictions from the isapiCgiRestriction collection.\nConfiguration Sample\nThe following configuration example is the element configuration for IIS 7.0 after you\ninstall ASP and ASP.NET version 2.0.\n\ndescription=\"ASP.NET v2.0.50727\" /\u003e Sample Code\nThe following examples add an ISAPI/CGI restriction for a custom ISAPI extension that is located in the content\nfolder for a Web site that is located in C:\\Inetpub\\www.contoso.com\\wwwroot. The examples specify the name,\npath, and group of the ISAPI extension, and enable the extension.\nAppCmd.exe\nappcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /+\"[path='C:\\Inetpub\\www.contoso.c\nNote\nYou must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these\nsettings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config\nfile.\nC#\nusing System;\nusing System.Text;\nusing Microsoft.Web.Administration;\ninternal static class Sample\n{\n private static void Main()\n {\n using (ServerManager serverManager = new ServerManager())\n {\n Configuration config = serverManager.GetApplicationHostConfiguration();\n ConfigurationSection isapiCgiRestrictionSection = config.GetSection(\"system.webServer/security/isapiCgi\n ConfigurationElementCollection isapiCgiRestrictionCollection = isapiCgiRestrictionSection.GetCollection\n ConfigurationElement addElement = isapiCgiRestrictionCollection.CreateElement(\"add\");\n addElement[\"path\"] = @\"C:\\Inetpub\\www.contoso.com\\wwwroot\\isapi\\custom.dll\";\n addElement[\"allowed\"] = true;\n addElement[\"groupId\"] = @\"ContosoGroup\";\n addElement[\"description\"] = @\"Contoso Extension\";\n isapiCgiRestrictionCollection.Add(addElement);\n serverManager.CommitChanges();\n }\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\nPage 8 of 10\n\n}\r\n}\r\nVB.NET\r\nImports System\r\nImports System.Text\r\nImports Microsoft.Web.Administration\r\nModule Sample\r\n Sub Main()\r\n Dim serverManager As ServerManager = New ServerManager\r\n Dim config As Configuration = serverManager.GetApplicationHostConfiguration\r\n Dim isapiCgiRestrictionSection As ConfigurationSection = config.GetSection(\"system.webServer/security/isap\r\n Dim isapiCgiRestrictionCollection As ConfigurationElementCollection = isapiCgiRestrictionSection.GetCollec\r\n Dim addElement As ConfigurationElement = isapiCgiRestrictionCollection.CreateElement(\"add\")\r\n addElement(\"path\") = \"C:\\Inetpub\\www.contoso.com\\wwwroot\\isapi\\custom.dll\"\r\n addElement(\"allowed\") = True\r\n addElement(\"groupId\") = \"ContosoGroup\"\r\n addElement(\"description\") = \"Contoso Extension\"\r\n isapiCgiRestrictionCollection.Add(addElement)\r\n serverManager.CommitChanges()\r\n End Sub\r\nEnd Module\r\nJavaScript\r\nvar adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');\r\nadminManager.CommitPath = \"MACHINE/WEBROOT/APPHOST\";\r\nvar isapiCgiRestrictionSection = adminManager.GetAdminSection(\"system.webServer/security/isapiCgiRestriction\", \"\r\nvar isapiCgiRestrictionCollection = isapiCgiRestrictionSection.Collection;\r\nvar addElement = isapiCgiRestrictionCollection.CreateNewElement(\"add\");\r\naddElement.Properties.Item(\"path\").Value = \"C:\\\\Inetpub\\\\www.contoso.com\\\\wwwroot\\\\isapi\\\\custom.dll\";\r\naddElement.Properties.Item(\"allowed\").Value = true;\r\naddElement.Properties.Item(\"groupId\").Value = \"ContosoGroup\";\r\naddElement.Properties.Item(\"description\").Value = \"Contoso Extension\";\r\nisapiCgiRestrictionCollection.AddElement(addElement);\r\nadminManager.CommitChanges();\r\nVBScript\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 9 of 10\n\nSet adminManager = createObject(\"Microsoft.ApplicationHost.WritableAdminManager\")\r\nadminManager.CommitPath = \"MACHINE/WEBROOT/APPHOST\"\r\nSet isapiCgiRestrictionSection = adminManager.GetAdminSection(\"system.webServer/security/isapiCgiRestriction\", \"\r\nSet isapiCgiRestrictionCollection = isapiCgiRestrictionSection.Collection\r\nSet addElement = isapiCgiRestrictionCollection.CreateNewElement(\"add\")\r\naddElement.Properties.Item(\"path\").Value = \"C:\\Inetpub\\www.contoso.com\\wwwroot\\isapi\\custom.dll\"\r\naddElement.Properties.Item(\"allowed\").Value = True\r\naddElement.Properties.Item(\"groupId\").Value = \"ContosoGroup\"\r\naddElement.Properties.Item(\"description\").Value = \"Contoso Extension\"\r\nisapiCgiRestrictionCollection.AddElement(addElement)\r\nadminManager.CommitChanges()\r\nSource: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nhttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/isapicgirestriction/"
	],
	"report_names": [
		"isapicgirestriction"
	],
	"threat_actors": [],
	"ts_created_at": 1775434484,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f30144276b24997aac42e92c6f4af9090b73c796.pdf",
		"text": "https://archive.orkl.eu/f30144276b24997aac42e92c6f4af9090b73c796.txt",
		"img": "https://archive.orkl.eu/f30144276b24997aac42e92c6f4af9090b73c796.jpg"
	}
}