It seems that for some instances of IIS 8 (?) and later there are some default Request Filtering settings, but for other instances there are none. Here's what I see on some servers:
Denied File Name Extensions (partial):
ad
adprototype
asa
asax
ascx
browser
cd
compiled
config
Hidden Segments:
App_Browsers
App_code
App_Data
App_GlobalResources
App_LocalResources
App_WebReferences
bin
web.config (Only this one seems to be present on ALL IIS instances.)
Is there a reason for this inconsistency? Is it determined by what components are installed?
I am a server admin and not a Web admin, but I am trying to suggest best security practices for the Web site owners and I am not able to explain this inconsistency to them. When we deploy a new IIS server we now make sure these defaults exist, but we can't really apply the same to one that's already in production. This is the site owners' responsibility, but I would like to clear up the confusion.
Thanks for any explanation.