Security and Performance Enhancements in ASP (IIS 6.0)

In IIS 6.0, ASP has undergone several important changes to improve security and performance:

Default disabling of ASP pages during clean installations of IIS 6.0. In a default installation, the IIS service is installed in a secure mode, and only serves static content. You must enable features such as ASP, ASP.NET, CGI, ISAPI, and WebDAV if you need them. For more information about these features, including how to enable them, see Enabling Dynamic Content.

Secure ASP built-in functions. All ASP built-in functions always run as the low-privileged account, IUSR_ComputerName, or under an authenticated user account if one is selected and has valid credentials.

Default disabling of parent paths. As a security precaution, the metabase property AspEnableParentPaths is now set to zero by default. This new default setting affects Web pages that contain or use the .. notation to refer to a parent directory in the #include SSI directive. Unless you explicitly set this property to true, such Web pages do not respond to a client request (they instead generate a Disallowed Parent Path message).

ASP hang detection. When an IIS Web site is busy, there might be instances when the maximum number of ASP threads are spawned and some of the ASP threads hang, resulting in degraded performance. (Threads are considered to be hung if they do not respond to a timeout.) If sufficient ASP requests hang so that ASP cannot service requests quickly, ASP detects this unhealthy state and requests that the worker process recycle itself.

Monitoring of disk-based caching. The Active Server Pages performance object now provides the Templates Cached counter to monitor disk-based caching in addition to in-memory caching. This counter counts the number of cached ASP files, both on disk and in memory. A new ASP counter, In Memory Templates Cached, reports the number of ASP pages in the memory cache. The default location of the ASP disk cache is systemroot\System32\Inetsrv\ASP Compiled Templates. You can change the cache location by setting the AspDiskTemplateCacheDirectory metabase property.

Anonymous user access for Global.asa events. Earlier versions of ASP executed events in the security context (or user identity) of the host process because during these events there was not necessarily a user context. This sometimes caused access denied errors when writing to a file in the Application_OnEnd or Session_OnEnd event. By default, ASP now runs the Global.asa events, Application_OnEnd and Session_OnEnd, anonymously. Setting the AspRunOnEndAnonymously metabase property to true allows these global ASP functions to run as anonymous user.

Performance enhancements. To limit the amount of memory allocated to ASP pages, IIS 6.0 sets the default value of the AspScriptFileCacheSize metabase property to 500 ASP pages and the default value of the AspScriptEngineCacheMax metabase property to 250 script engines. For sites that include a large set of frequently requested ASP pages, you can increase the number of ASP pages allowed by the AspScriptFileCacheSize property, which improves performance because ASP page compilation is substantially slower than retrieving pages from cache. On a site with only a small number of frequently requested ASP pages, you can save memory by setting a smaller value.

ASP Metabase Properties No Longer in Use in IIS 6.0

The following metabase properties are no longer used by ASP, even though they are still in the metabase for compatibility with existing administration scripts:




In IIS 6.0, all properties that relate to ASP thread gating, such as the ASPThreadGatingModel property, were removed from ASP and the metabase. If you are using scripts to upgrade from IIS 5.0, you might need to make manual adjustments for the properties that were removed.

© 2016 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies