I have a virtual directory (called "File") setup for my web application. The directory is used to house user file uploads as well as official downloads that we offer.
I want to prevent any file from the "File/UserUpload" directory from ever being served up to a user. It would be pretty difficult (i.e. it will never happen) for a user to come up with the proper filename to request a file since the files are created with a GUID, but I'd like to disallow it nonetheless.
How can I stop IIS from serving files in the virtual directory?
Add a web.config file to the directory which denies all users access to the directory.
It should look something like this:
IIS 7:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
Here is another SO post which may be helpful:
https://serverfault.com/questions/72680/iis7-how-to-block-access-with-a-web-config-file
Related
I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.
Our client has a virtual file server setup which contains some PDF's he wanted to restrict. He thought they would be restricted from non-logged in users, however they've somehow turned up in google search results.
So my question is, if I setup forms authentication (he currently doesn't have any authentication) on his website, can I restrict access to any directory I want? For example, the path of the PDF's is on another server, mapped to the "S" drive like this:
S:\Files\PDFs\
Can I list this path somewhere in a config file to restrict it to only authenticated users?
Thanks
you can put this kind of web.config in the folder where pdf files are located , this will not allow unauthnicated user to access you files
<location path="FolderNameAuthenticationNeed" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization> </system.web>
</location>
I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).
I added web.config to this directory:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
EDIT:
This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.
I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.
Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.
No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.
UPDATE:
The configuration of
<deny users="*">
locks out all users. It would work only in combination with allow, e.g.
<allow roles="administrators" />
<deny users="*">
like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.
The other option is to lock out anonymous users only:
<deny users="?">
Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)
If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode.
IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.
I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5
I'm currently using this web.config in the directory. This is a directory with style sheets:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Update:
I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.
I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.
Since you answered your own question, here is the explanation that might help
Authorization deals with who IIS will offer resources to. Those resources, however, have their own security as they are just files on a file system.
The Authentication element in the config assists in determining how IIS will identify a user's requests after its accepted and as it accesses resources beyond/external to IIS.
This is set at the site level, typically in the applicationHost.config file for your server. It can, if properly setup, be overridden at the site level.
IIS.net pages about this:
http://www.iis.net/ConfigReference/system.webServer/security/authorization/add
http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
The .config version of what you did in the UI is:
<location path="/yourSite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" username="" />
</authentication>
</security>
</system.webServer>
</location>
On the anon. auth method, the username field is who IIS will impersonate when resources are accessed. When you don't specify one, it defaults to use the identity of the apppool.
Now, as to why this mattered ... check the actual file on disk (the .css). If this fixed the problem that would mean IUSR doesn't have access to read that file.
You don't have a location defined for your authorization. You also don't specify what sort of authentication you're using within the web.config (if any).
<location path="/">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I know that by defualt IIS won't server App_Data or bin folders content to the public.
How to set one more folder to don't server to public?
The proper way to do that is using this:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="My_Directory" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
This allows you to still access files located there from the IUSR account, but prevents actual requests for files there from being filled directly.
Note that this will block files in that directory, and any subdirectories, no matter where that directory occurs - even if it, itself, is a sub-directory of something else.
As the link-only answer points out, hiddenSegments is the right tool for the job. Go to IIS then the site and in Features find Request Filtering (must be installed at Server Manager) now add directory name that you want to prevent access to, or any segment of the URL really. This approach does require that a unique url or directory name be used in the site, otherwise any other occurrence of the segment at any level in the url, will cause that request to be blocked:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments
Remove IIS_IUSR permissions from that folder.
I think its generically under the "Internet Guest Account"