How to make IIS7 stop serving a folder? - iis-7

I know that by defualt IIS won't server App_Data or bin folders content to the public.
How to set one more folder to don't server to public?

The proper way to do that is using this:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="My_Directory" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
This allows you to still access files located there from the IUSR account, but prevents actual requests for files there from being filled directly.
Note that this will block files in that directory, and any subdirectories, no matter where that directory occurs - even if it, itself, is a sub-directory of something else.

As the link-only answer points out, hiddenSegments is the right tool for the job. Go to IIS then the site and in Features find Request Filtering (must be installed at Server Manager) now add directory name that you want to prevent access to, or any segment of the URL really. This approach does require that a unique url or directory name be used in the site, otherwise any other occurrence of the segment at any level in the url, will cause that request to be blocked:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments

Remove IIS_IUSR permissions from that folder.
I think its generically under the "Internet Guest Account"

Related

How do you stop users directly accessing files on a website in IIS

I want to stop users on the internet being able to enter this URL into a browser and access these files directly. How can I do this?
note: application developed in asp.net
for example: mysite/uploadedfiles/file1.txt
is there any iis rule? Please help me.
Try to use the requestFiltering and hidden segments security feature in web.config.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments applyToWebDAV="false">
<add segment="uploadedfiles" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
My advice would be not to store these files in a location which is accessible via a URL in the first place. Then the problem is solved without worrying about permissions etc.
Once the user has uploaded the file, you can store it in some other place on the server's disk - no need for it to be within the web application.
And if the file must be downloadable again later, you can write an action method to find the necessary document on disk and transmit a copy of it in the response, without the webserver ever having direct access to it.

Denying direct access to a folder (only allow through app)

I need to prevent someone from directly accessing a pdf, instead only allowing them to be pulled through the app itself. How can this be done?
Add this to your top-level Web.config to block a folder called Reports (your folder name goes there).
This will allow your application to access Reports/file.pdf but an outside request to yoursite.com/Reports/file.pdf will be blocked.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Reports" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
There are two solutions for doing that:
1- You can put your “UsersUploads” folder outside the website
directory, so if your website exist on “c:\website\example.com” you
can put the “UsersUploads” there “c:\UsersUploads”, Like that IIS has
no control over this folder and its files, And your website code will
still have access to this directory as a normal physical path.
2- Stop IIS from serving this folder:
IIS by default doesn’t server some website folders and files such
App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources,
Web.config,….
Put the files in the app_data folder and then use a HttpHandler to serve the files. You can use url rewriting if you want to hide it and make it look cleaner.
set the permissions on the folder to deny access to whoever. Ask your sys admin guy to create an account and give read access to the folder. Then set impersonation up in the web.config file to use the new account.
Read this
http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx

Can I put a + sign in a folder with IIS?

I'm pretty sure this can't be done, but I'm looking for a hack or way to put a + in a folder name, like
http://www.mysite.com/cats+dogs/Default.aspx
I'm using IIS 7, and have tried creating a virtual directory to achieve this, and it didn't work. I am not allowed to put %2B in the explorer folder or virtual folder name.
Any ideas how I could hack this to make it work? We've already had brochures printed up with a url on it, and wondering if there is some way I can alias it or some trick that might do it.
EDIT: I was able to figure this out, by creating a virtual folder with a + in it, then redirecting to a URL, which points to a virtual directory with the content.
IIS 7.0 Breaking changes for ASP.NET 2.0 applications in Integrated Mode
Here's the relevant excerpt from the page, which shows the workaround/fix.
Request limits and URL processing The
following changes result due to
additional restrictions on how IIS
processes incoming requests and their
URLs.
11) Request URLs containing unencoded
“+” characters in the path (not
querystring) is rejected by default
You will receive HTTP Error 404.11 –
Not Found: The request filtering
module is configured to deny a request
that contains a double escape
sequence.
This error occurs because IIS is by
default configured to reject attempts
to doubly-encode a URL, which commonly
represent an attempt to execute a
canonicalization attack.
Workaround:
1) Applications that require the use
of the “+” character in the URL path
can disable this validation by setting
the allowDoubleEscaping attribute in
the
system.webServer/security/requestFiltering
configuration section in the
application’s web.config. However,
this may make your application more
vulnerable to malicious URLs:
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
You may have some luck with doing a url-rewrite. This can be done very easily in the web.config or with an httpmodule.
Looks like you will still need to use a space or the IIS fix mentioned below for your + character issue, but for some flexibility in the future you can always include URL rewrites for mapping urls to files.
<httpModules>
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</httpModules>
<rewriter>
<rewrite url="~/cats dogs/Default.aspx" to="~/MyRealFile.aspx" />
</rewriter>
Just put a space in the folder name: "cats dogs".
The space character is encoded using the plus character, so when the server sees the plus character, it will get the folder with the space in it.

Extensionless Page Requests

I have a customer of ours that sent out a publication referring to my site but they used the wrong address...they did not provide a page name...it looks like this:
mywebsite.org/Resources/toolkits/bridging
when it should have been
mywebsite.org/Resources/toolkits/bridging/default.aspx
Is there a way to tell ASP.NET to default to this default.aspx when it sees this kind of request or even better, have IIS 7 handle this easily?
This site is live so I would like to avoid having to introduce code if possible.
As per other suggestions, this should be done in the IIS configuration for your website using the IIS Admin tool.
There is however, another alternative - you can add a section in the web.config of your actual ASP.NET application, allowing you to override the IIS configuration right from your application:
<system.webServer>
<defaultDocument>
<files>
<clear />
<!-- Specify each of your files by order of preference here -->
<add value="Default.aspx" />
<add value="Index.aspx" />
<add value="MyOtherPage.aspx" />
</files>
</defaultDocument>
</system.webServer>
The caveat to this though is it may be a little obtuse when the IIS administrator can't figure out why the server configuration isn't working the way he's got it configured. It's not always right to do something just because you can.
Finally, just in case you don't have access to the IIS server or your IIS administrator has reasons for not adding Default.aspx to the default document list in the IIS configuration and for whatever reason, you don't wish to override the IIS configuration in your web.config file, then the quickest and simplest way is to simply create a file called default.asp in that directory containing:
<% Response.Redirect("default.aspx") %>
Default.asp is in the default document list on IIS. The code will automatically redirect the call to the correct page. The downside to this approach though is that there's a performance hit - every time someone calls default.asp - directly or otherwise, the redirect needs to happen which isn't free.
In the Documents tab of the web site properties in IIS you can specify default documents. If you are using .Net2.0 or later on that machine then Default.aspx should already be set....
Default.aspx is not, oddly enough, set as the default document in an IIS installation; In IIS 7, the setting is under "HTTP Features", called "Default Document". Add default.aspx to that list and you should be OK.
If not, you'll need to add a 404 handler that redirects when it sees that URL.

What replaces .htaccess on IIS/ASP.NET sites?

On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.

Resources