How ScriptMap Protects Website?
IIS web server provides a great feature called "ScriptMap". A script map is to map a specific extension to an executable engine on Web server. You can easily handle lots of server end settings by this technology. Moreover, it's great solution for website protection. You might have added all available solutions to protect your site from hacking, but scriptmap will give another guard layer. This article will guide us to learn about script map side by side and tips on how to use it properly.
ScriptMap working principle is, add a specific file extension for example ".asp" to point to an existing scripting library like asp.net, php or other libraries. In this way you can use any available executable engine to process your files. Most extensions are configured by default during IIS installation. More details and guidance on how to add scripmap handler can be found on this microsoft kb.
Top Features of Script Map
Manage Asp.net Version
Asp.net installation will auto add its current dll mappings to IIS handler. Before IIS7.0, when you want to switch .net framework you have to login IIS manager then click the asp.net tab on website properties. Normally it will frize iis manager few seconds or minutes depends how busy your server is. It will either slow down the server or simply stop entire server IIS process. You have to give iis restart commands after the change. It's absolutely not acceptable for production server. Here hosting providers can make use of scriptmap advantages. What they need to do is only to map your site to the specific .net library. It's fast and professional.
Manage PHP Version
Most IIS servers got multiple versions PHP installed. PHP is configured the same way like asp.net and its managed directly from scriptmap handler. In order to use the desired PHP version, you just need to add a new php mapping to installation directory then everything is done.
Make Unknow file Extensions readable
Sometimes your web developer might produce some kind file extensions that're not readable by web server. If you know what engines it requires to make it working, then just go ahead and add the extensions to scritmap handlers.
Website Security Protection
The greatest feature of script map is its security protection. Script Map protects your web application in two ways, file extension and downloadable data protection. File extension protect means to change your file extension to something not commonly used. For example if your site is asp programmed, the file extension is always *.asp. Hackers will easily find any potential security hole then hack into your applications. But if you change the .asp to others for example .cpp and map it to asp engine, hackers will not hack it easily because they will have to research a lot for what scripting you used.
Sometimes you keep sensitive datas in access database or excel files that can be downloaded directly once user got the exact location on your site. It's absolutely a big security hole. However you can use script map to avoid such issues. After mapped the file extension to other script engines, it will not give out download option on user end and your data is protected in safe place. Same tricks can be also applied to your other website properties, what you need to do is to map the file extensions to a non executable engine.
How to add script map on user end?
Script Map is only available for IIS users. Means you must be hosted on windows hosting server. Many providers give out the function directly from hosting control panel where you can add the specified extensions directly. The following screenshot shows how its offered.
However, after IIS7.0, there's revolutional improvements where we can manage settings from IIS manager directly. You must ensure remote iis manager is supported for your hosting service. Once you have connected to your website on iis manager you got all available options to work with. You will see how services being configured on hosting server for custom changes. In this way you don't have to contact hosting support for such small assistance.
