IIS 6 ignores Web.config authorization settings - asp.net

Context:
IIS 6 on Windows 2003 Server
ASP.NET 3.5 sp1
C# Web Application running from a virtual directory
There are a few files that I would like not to serve. For example, there's a hibernate.cfg.xml in the root directory that should not be accessible. There are also log files in a logs directory. On the local development server (Visual Studio 2008) The NHibernate config file can be protected in a couple of ways through Web.config:
<location path="hibernate.cfg.xml">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
OR
<httpHandlers>
...
<add path="*.cfg.xml" verb="*" type="System.Web.HttpForbiddenHandler" />
</httpHandlers>
The logs in a different directory can be protected through another Web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
None of these work when the application is compiled using aspnet_compiler.exe and deployed to an IIS 6 server. No errors in the logs. The files are readable to anyone. The application is compiled and installed using MSBuild as follows:
<AspNetCompiler Force="true" Debug="true" PhysicalPath="$(DeploymentTempPath)\$(DeploymentAppName)" TargetPath="$(DeploymentPath)\$(DeploymentAppName)" VirtualPath="/$(DeploymentAppName)" />
How do I make IIS 6 respect the authorization rules in Web.config.
Note: assume that I can't move these files outside of the deployment directory.

It looks like IIS does not forward the request for .xml or .txt files to ASP.NET, so it has no chance to apply its authorization controls.
To work around this, I had to do the following (from this forum post):
From IIS Console, open properties of the virtual directory of my app.
Virtual Directory > Configuration
Add new handler for extension ".xml" using the ASP.NET filter (c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll in my case)
All verbs. Uncheck both "Script engine" and "Verify that file exists".
Is there any way to do this from within Web.config?

Try this:
<location path="hibernate.cfg.xml">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Static files such as .jpg, .xml and .pdf are by default handled directly by the kernel mode http.sys driver. Unless you've mapped these extensions to ASP.NET they will never hit the ASP.NET pipeline and hence the authorisation mechanism within ASP.NET.

To force static files such as .xml to be processed by .NET on .NET 2.0/3.5/4.0 and IIS6, do the following:
1) Add the entries for.xml (or other file type) to IIS as described above (IIS6 website properties, Home Directory, Configuration)
2) in web.config add the location for the restricted directory or file
<location path="directory_or_file_name">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
3) Add the following to the httpHandlers section:
<add path="*.xml" verb="*" type="System.Web.StaticFileHandler" validate="true" />
This will force .NET to only serve .xml files as specified in the <location> tag to authenticated users.

URL Authorization: The URLAuthorizationModule class is
responsible for URL authorization on
Windows 2003. This mechanism uses the
URL namespace to store user details
and access roles. The URL
authorization is available for use at
any time. You store authorization
information in a special XML file in a
directory. The file contains tags to
allow or deny access to the directory
for specific users or groups. Unless
specified, the tags also apply to
subdirectories.
You need to do the following:
<deny users="?"/>
<deny users="*"/>
The wild card entry "?" means that no one else will be able to gain access to this directory.

Related

How to make IIS authorize requests based on Windows user name or group membership?

I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.
<location path="lsgprog/bibliothek/adm">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.
All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.
<location path="lsgprog/vfristen">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"
roles="*"
verbs="GET,HEAD,POST" />
</authorization>
</system.web>
</location>
My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.
So, is what I'm trying to do possible at all and if so, how? Thanks!
In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config:
Make application and directory-specific configuration settings in an ASP.NET application
Although the documentation above is for ASP.NET it applies at the IIS level as well.
Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:
<location path="lsgprog/vfristen">
Should be changed to (remove the root folder of the project from the path):
<location path="vfristen">
Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document:
Use the location element in the Machine.config file
When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:
Machine.config
<configuration>
<location path="Default Web Site/MyApp" allowOverride="false">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
You could try to add the below code in your site web.config file:
<location path="foldername">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<location path="foldername/page1.php">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="DOMAIN\ADGROUP" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
Edit: need to install the URL Authorization in iis to make this rule work.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization

authorizing directory only when running on localhost

I have this in the web.config
<location path="SomeDir/SomeSubDir">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
How do I change this so that this rule only applies when the app is not running on localhost? Is there a way to make the rule detect the environment?
I would remove the deny from the web.config and use something like this in the page load event.
if(!HttpContext.Current.Request.IsLocal && !User.Identity.IsAuthenticated)
Response.Redirect("Login.aspx");
Config Transformations will give you a Web.Release.config that will transform your Web.Config when you publish with the Release settings.
If you don't already have the transform files, you will need to right-click the Web.config file and then click Add Config Transforms.
Here is the MSDN How to: Transform Web.config When Deploying a Web Application Project.
Your Web.Release.config file would look something like this:
<configuration xmlns:xdt="...">
<location xdt:Locator="Match(path)" xdt:Transform="Remove" />
</configuration>
Which will result in that location element being removed when you do a Release publish.

how to deny user to access sub folders and file?

on local machine ,i created sample project on mvc4 (razor) and create directory named "x" and put a text file "a.txt" in it.
http://localhost:64471/x/a.txt
in my web config i deny all user to access to "x" folder by this config:
<location path="x">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
Now if user send this request :
http://localhost:64471/x/
it works and return user to URL that defined in forms tag in web config.
but when user send this request :
http://localhost:64471/x/a.txt
can read text file in browser(browser shows contents of text file).
i want to know how to deny user to access all files and subfolders in "x" folder?
I know this is an old question, but if you are having issues and dealing with text or html files, you might want to refer to this stackoverflow question.
In short, you might need to add this to your web.config:
<system.webServer>
<modules>
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
As kirk points out, files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.
I tested with path="x" in root web.config. It restrict everything under x folder; it won't even let me browse ~/x. I get redirected to login page.
Could you try full path to a.txt like this in root web.config?
<location path="x/a.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
If it still doesn't work, you can try creating a web.config inside x folder with the following content.
<?xml version="1.0"?>
<configuration>
<location path="a.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

IIS Directory browsing disable file access directly

I have a website hosted in IIS with directory browsing disabled. The website is developed in ASP.Net, MySql and C#.
For e.g., If i type www.mysite.com/LoremIpsums/ then it shows 403 error. However if i type, www.mysite.com/LoremIpsums/IpsumLorem.pdf it shows/downloads the the PDF file. How to disable this?
I have searched on net and found sth like
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
If i use this in web.config, the user won't be able to download the pdf file even after logging in. So how to achieve file access only for logged in users. (Either using C# code or IIS Settings)?
Here you Go:
<location path="download">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="user"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
download is your folder where you want to restrict the anonymous user from direct access.

Integrating ASP.NET Security with Non-ASP.NET URLs & docx files

I have an ASP.NET 2.0 application running on IIS6 (windows swrver 2003) and have successfully used the method described in this article: http://bit.ly/i78O7w to secure .jpg, .doc & .xls files in a directory named 'upload'.
I have now added .docx files to the directory but the browser returns a 404 when a docx is requested. The security still works.
Do I need to to make changes in web.config or in the Application Configuaration in IIS6?
web.config snippet:
<location path="upload">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
turns out I was missing the obvoious which was that I had to add the mime types for office 2007 to IIs6. Nothing to do with asp.net

Resources