Drupal 7 comes with built-in .htaccess files to protect the files, tmp and private directories from script execution like malicious php, but doesn't provide a similar web.config file for Windows servers. I have looked around and couldn't find a proper solution yet.
I did came across a solution for Wordpress which suggested to upload this simple web.config file to the wp-content/uploads folder:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read"/>
</system.webServer>
</configuration>
The author stated:
This tells IIS that handlers (such as PHP) may only read, and not execute.
Could it work in the same way for Drupal? I did uploaded this file in my Drupals files folders and at least it didn't break anything. I was still able to upload files and the the styles were still properly applied.
Does anyone knows a beeter, more secure solution?
Update: I forgot to mention - if I try to access a php file from one of these directories I get a 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
error, so it works at some level.