All requests with /bin in the URL are rejected and return a 404 error

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

This occurs when IIS 6.0 and ASP.NET are both installed. In order to take a more proactive stance against malicious users and attackers, the ASP.NET ISAPI filter, aspnet_filter.dll, blocks incoming request containing /bin in the URL. This behavior occurs server-wide, regardless whether the request is for static or dynamic content.

The preferred solution to this issue is to modify the path to content on the server so that /bin is not necessary in any request.

If the content URL cannot be modified, an alternative solution is to set a registry key that stops the ASP .NET ISAPI filter from filtering requests containing /bin in the URL. This is a server-wide setting.

Procedures

Important

Setting the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\ registry key can allow a malicious user access to programs and content in the /bin directory.

To disable /bin filtering

  1. Start Registry Editor and navigate to the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\ key.

  2. In the details pane, right-click, point to New, and click DWORD Value.

  3. In the Name box, type the following: StopBinFiltering.

  4. Double-click the StopBinFiltering value, and in the Value data box type 1.

  5. Click OK, and then close Registry Editor.

  6. To reenable /bin filtering, set the StopBinFiltering value to 0.