Information
Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/''Script or Write permissions, but not both.
Rationale:
By allowing both Execute/_Script_ and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.
Solution
The accessPolicy attribute in the <handlers> section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the <handlers> section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps:
Open Notepad as Administrator
Open the ApplicationHost.config file in %systemroot%\\system32\\inetsrv\\config
Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present
To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd set config /section:handlers /accessPolicy:Read,Script
Note: This configuration change cannot be made by using IIS Manager.