I am responding to audit questions, and it appears they are using IIS 6 checks on my IIS 7 web server. They are asking that "IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack
buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll."
They recommend recommend restricting these by making changes to "web service extensions" in IIS 6. I am running IIS 7.
I know that IIS 7 is completely different than IIS 6. Do I check "handler mappings" and "request filtering" in IIS 7 in order to accomplish similar restrictions that still may be needed in IIS 7?