how to prevent download any files (specially swf) from IIS server - asp.net

i have a asp.net website
i have some files swf files that i want to prevent downloading them
is there a solution that the IIS can have a passord for downloading the file swf file and i can provide this password in some situations on the server that i can pass this password in the code
so that the swf file can be viewed from my page only as provide the password
but no one can download it using download managers
or any other http request that request this swf file

Don't put the swf file under your web root. Put it somewhere else like C:\Inetpub\assets. Then use a .NET page or handler to provide the file upon request.
http://yoursite.com?GetAsset.ashx?filename=whatever.swf
Then the request will be part of the same session as the rest of your application and you can validate that the user is really allowed to download the swf.

You can configure IIS Authorization, to allow only authenticated user to access your resouces:
http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/

can you create ftp accounts on your server ? if yes , create a folder only accessible with the credentials you set then put the swf files in it ( i guess you are using a distant IIS server ).
Your hosting service may provide an admin interface were you can set some ftp accounts.
The user will have to access your files with a ftp client application.

there is something named Mine Types. If you add a Mime Type and set an extension like .swf to that you allow client to download and see all .swf files of the server. just go to Mime types tool of IIS and remove ones that you want to prevent downloading.

Related

How to Upload file from Client to Sever Without access to Client Directories? ASP.net

Every where I read of being able to "Upload files from the client PC to the Server" but HOW will you do this if you don't have access to the clients directories?
How will the client select what files to upload if the server does not have access to them?
Links on How to do this.
C#, Asp.net Uploading files to file server…?
Uploading files to a web server with ASP.Net
Uploading In ASP.NET
My Previous question telling me that the server does not have access to the client pc/directories
--UPDATE--
So thanks to the comments and answers I Understand now.
The server CANNOT access directories and files on the client. BUT
The client can push through files to the client that can then use the
files.
You need an upload control, so that the user can upload files manually. If you want to pull files from the user's PC without interaction with the user, then ASP.net won't do that for you. You should look into WCF or other frameworks.

how to allow user download file over web page on window server 2003

I have a webpage deployment on iis6, window server 2003, and i want to allow user can download some file from webpage
I store this file on the backup folder. I added NETWORK SERVICE user to the folder but I still can not download this file
Simple, i have a file and i want user can download this by link: http://www.aitapgdtrh.edu/Backup/SaoLuu13112012_1435.bak
it's shown the error:
The page cannot be found
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
Please help me config to download it, Thanks!
I found the answer for my question:
It's:
Open IIS, right click, choose Properties.
At group MIME type, click News,
Add:
Extension: .bak
MIME type: data/sql
then it's ok :)
HTTP 404 means that IIS cannot find the file specified by /Backup/SaoLuu13112012_1435.bak. I assume this is because it's located at C:\Backup and not in inetpub.
Request URLs are relative to the website root path, so /Backup/SaoLuu13112012_1435.bak will refer to C:\inetpub\wwwroot\aitapgdtrh.edu\Backup\SaoLuu13112012_1435.bak not C:\Backup\SaoLuu13112012_1435.bak.
You can reference locations outside of your website root path by using a virtual directory1:
Open IIS
Browse to your website
Right click the root node
Click "New Virtual Directory"
Specify "Backup" as the Alias
Specify "C:\Backup" as Path
Assign read permissions only
Save the directory
1You're allowing read access to the entire Backup directory to anonymous clients by doing this. For security, you may want to require authentication (either NTLM or Forms).
The easiest way is just write an ASP.Net script that uses System.Web.UI.WebControls FileUpload:
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.fileupload.aspx

How to configure web.config to support file handler

I created a file browser control which open files on client machine itself, so I don't need to bother about file path
from my application I am not able to redirect page to
file:///C:/Program%20Files/Application/readme.txt
it works for
http://
how can I configure my application to support file handler.
Thanx
If you are trying to redirect to a local file. This is not possible without knowing quite a lot of information on the client machine - for example how do you know the directory structure of the client computer?
Response.Redirect tells the client (browser) where to redirect to. A file URL will be one that is on the client machine - you would need to know in advance that the file is there, that the user has permissions to view it etc...
Are you asking how to send a file from the server?
You can do this via Response.WriteFile.

non asp.net resources authetication and authorization in iis6

I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?

Flex and crossdomain.xml

I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?
Thanks
Damien
By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.
If your flex app is served from the same server, you don't need a crossdomain.xml
You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()
http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html
Applications would then be limited to that tree of your directory structure.
There are no workaround for the crossdomain file, it is required to support the crossdomain data access or crossdomain scripting. In the event of any cross-domain request, Flash will look for the crossdomain.xml file at the root of the domain. For example, if you are requesting an XML file from:
http://mysubdomain.mydomain.com/fu/bar/
Flash will check if a crossdomain.xml file exist at:
http://mysubdomin.mydomain.com/crossdomain.xml
You can place the crossdomain.xml file in other location. However, when you ever need to load a crossdomain.xml file from a different location, you have to do it via Security.loadPolicyFile . Bear in mind that the location of this crossdomain have any impact on the security access you have. Flash will only grant access to the folder that contains the crossdomain and its child folders.
You may also want to read up on the security changes in Flash Player 10.
You may configure a virtual host for your application. This way the file crossdomain.xml can be at the root of your application but not necessarily at the root of the server.
Yes. Be very careful with crossdomain policy files:
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/
My two general rules of thumb are:
Do not put a crossdomain policy file on a server that uses cookies
Do not put a crossdomain policy file on an internal server
crossdomain.xml is just a file that has meaning to the Flash runtime; you can restrict what HTTP requests get to see it. You can use web server (e.g. Apache) configuration control to allow read access to it (and only it) from the "root" directory (see previous answers).
You might filter by other headers in the request, etc.
Cheers

Resources