Controlling File Upload and Deny Execute Permissions on the Upload Folder
You can strengthen the sitecore installation by restricting the access to the files that are begin uploaded by users.
If you allow users to modify the content of /upload in website root folder then you also give them permission to place the scripts and executable programs. Executing these scripts and programs can cause an unexpected behavior on the server. You must therefore prevent an uploaded file from being executed on the server side when a user attempts to download it. We recommend that you deny permissions to run scripts and executable files in the /upload folder
Note: You only need to perform this step if your configuration allows content authors to place files directly to the /upload folder. For example, if you use a shared directory or FTP server, content authors can quickly place a lot of media in the media library.
Denying Execute Permission in IIS
you must deny scripts and Execute permission to /upload folder
1. Navigate to the /upload folder of your website
2. Select the /upload folder and click Handler Mappings and then in the Actions pane, click Edit Feature Permissions. Refer the below sceenshot
3. In the Edit Feature Permissions dialog box, clear the Script and Execute check boxes.