Installing CGI Applications in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1


You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".


To install and configure CGI applications

  1. Set up a directory for your CGI programs. For extra security, separate your CGI programs from your content files. You do not need to name the directory Cgi-bin, although you can do so if you want. For more information, see Using Virtual Directories.

  2. If your CGI programs are scripts, obtain and install the appropriate script interpreter. For example, to run Perl scripts, obtain a Perl interpreter. Windows operating systems do not provide versions of Perl, SED, or AWK. Instead, you must obtain these interpreters from third-party developers.

  3. If your CGI programs are .exe files, give the directory Execute permissions. If your CGI programs are scripts, you can give the directory either Execute permissions or Script permissions. For more information, see Access Control in IIS 6.0.

    If you choose to give the directory Script permissions, you must mark the script interpreter as a script engine in the directory properties. Only interpreters that are marked as script engines are allowed to execute in the directory. Executable files (.dll and .exe files) cannot be directly executed; that is, a browser request cannot launch an executable file on the Web server by including the program name in the URL. By enabling Scripts only permissions and selecting the Script engine check box, you can safely put content files (such as .htm or .gif files) in the same directory as your CGI scripts. Content files are displayed in the browser and scripts are executed, but no one can run an unauthorized program and script commands are not displayed in the browser.

  4. For CGI scripts, create an application mapping between the file name extension of your script and the script interpreter.

    IIS maps file name extensions to an interpreter. For example, if you are using Perl scripts stored in files with a .pl extension, map the .pl extension to the program that runs Perl scripts. Map .bat and .cmd files to the command interpreter (Cmd.exe). For more information, see Setting Application Mappings in IIS 6.0.

  5. Set NTFS permissions. If you are using NTFS access permissions, verify that all users who need to run the program have Execute permissions for the directory. If your Web site accepts anonymous users, make sure that the anonymous user (the IUSR_computername account) has Execute permissions.

IIS supports most of the standard server environment variables.

For greater security, the Web server does not pass the command interpreter's special characters to a mapped CGI application. By default, the following characters cannot be included in the URL that calls the CGI application:

| ( , ; % < >
  • For general information about programming CGI applications, refer to the MSDN Online Library.