Deny access to directory in IIS 6.0 - asp.net

How can I deny access to particular directory in IIS.
In Apache I could just add .htaccess file:
Order allow,deny
Deny from all
to Logs or cache directory and nobody will allowed to see any content in that directory.
However when I add Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
it works only for files handled by asp and doesn't work for i.e. log.txt.
I don't have access to IIS server, I can only add and change files.
Thanks in advance for help.

In IIS6 when you open folder properties you will see a checkbox labeled "Read". Try unsettling it

If you don't have access to IIS, do you at least have access to the file system? As in, can you set security on folders?
If so, go to the security tab on the particular folder and remove all rights to whatever guest account the site is running under.
Seeing as the only .net file are handled by the .net process and security model under IIS 6 (which you learned), I don't see what else you can do.
One other possibility - that may not work in your application - you could move all non .net files that require permission into the /App_Data/ folder. .Net does seem to just into the pipeline and prevent these files from being loaded. You could stream them instead.
FYI - if you DID have access to IIS this is a good article on how to restrict access to non .net files:
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent

Go to the folder properties in IIS Manager -> Directory Security tab -> Authentication and access control.
Uncheck 'Anonimous access' checkbox and disable all the authentication methods below.
There is no built-in file-based access management like htaccess. This can be achieved using third-party ISAPI modules like Helicon Ape

Related

Change to web.config on server is not going into effect

when I debug my website locally using Visual Studio, the change to the web.config goes into the effect without any problem.
However, when I make the same change to the web.config on my server host (running IIS 7.5) it looks like the site is still running off the old version of web.config when I load it up in my browser. The new changes aren't applied.
I have tried stopping and starting my site's application pool on the server using IIS Manager, but still no change. I've also tried stopping and starting IIS, which isn't working either.
The change I am making to my web.config involves removing entries in the block to allow and deny users.
It is currently set up to prompt for credentials, and if valid, the site is accessible. If not, access is denied. The change I am trying to make is to allow access to all users and not prompt them for their credentials.
BEFORE:
<authorization>
<deny users="?" />
<allow roles="admins" />
<deny users="*" />
</authorization>
AFTER:
<authorization>
<allow users="*" />
</authorization>
What is the reason for this?
You have to reset IIS. Just open command prompt and run IISRESET and you should be good.
I have found that if I attempt to modify the Web.config directly through the file system (on an IIS server), my changes fail to be saved, and thus, are not applied. This is what I have found works for me, provided you have access to IIS on the host server:
NOTE: These instructions are based on IIS 8 on Windows Server 2012, but may still work for IIS 7.5.
Go to the IIS Manager on the host server
Drill down in the Sites until you find your application
Using the Features view, double-click the Authorization Rules
Use the Add Allow Rule... and Add Deny Rule... link in the Actions panel (on the right) to configure all your authorization rules.
This process updates the Web.config for you. If you need to edit or delete a rule, click on the applicable rule, then click the Edit... or Remove link in the Actions panel.
I hope this helps.
Are you deploying,publishing or copying? Make sure that your debug and release settings are the same. There are also instances when the virtual directory is not setup correctly and the correct webconifg is not loading.
Copy the web.config file from your server and place it in your local machine and modify according to your requirements. And then delete the web.config file in the server and copy and paste the modified web.config from local machine to server.
This work for me, but for me connectionstring was the Issue.
From MSDN - Web.Config
Any changes to the web.config file will require restarting the "Microsoft IIS Administration" service to take effect.
Maybe, maybe and maybe it help some one. I have the same problem. with IIS reset not work. with recycling AppPool not work. Maybe your drive have not free space.
This work sometimes after I delete some unwanted files. but I think important reason is Permission. we must use Editor like notepad or Run editor as administrator or web.Config need permission to change and then change Web.config. then Save.This works for me.
For me the problem was that I was building multiple solutions in the Azure DevOps pipeline and the deploy.cmd took the first web.config file as given. Therefore, I had changed the wrong web.config and the solution was to build via the csproj file and not via the solution.
Hope this helps somebody! :-)
You have to do following action
Click the BUILD menu
select the Clean Solution
after then
select the Re-build Application
Published the files (codes)
Above this action done, It is working fine without issue.
Reflecting changes in IIS services

Prevent User to see the file system asp.net

How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?
Thanks for help and fast answer
Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.
To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.
Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.
The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.
Additional you can use a web.config on some directories to prevent the run of any aspx page as:
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
but this is not prevend to see files that are not pass from asp.net (like images)
Also you can read
How to find out which account my ASP.NET code is running under?

Same website different port Javascript and Stylesheets

I've a website running under IIS7. Everything works fine with this website. I've copied the directory and created a clone website on a different port. When I browse to the new website on the different port, I do not get any of the style settings until I log in -- then all appears normally.
The problem appears to do with the ASP.NET Membership/Authorization. I have a web.config in the subdirectories to allow all users (web.config) but the clone website is not using them even though all the config, directories, etc are the same. Only the port is different or non .config settings that IIS 7 uses.
I've discovered the problem but not the whole answer. The directories needed the IUSR permission to work but the original website doesn't have those permissions. It only had IIS_IUSRS. IF anyone can fully explain this behavior and how to fix the problem without granting IUSR then I will award the bounty for that answer.
The answer should be fully explanatory.
One potential issue would be with authorization settings in your config.
Look for something like this:
<location path="MyResourcesFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The above example would produce the effect that you've described assuming that your resources (css, jscript, etc) were located in a folder named MyResourcesFolder. Check the web.config that's in the actual website and not necessarily the project. This is because your website config may not be the same as your project config if you are using config transformations.

What replaces .htaccess on IIS/ASP.NET sites?

On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.

CSS not being applied on non authenticated ASP.NET page

When developing (works fine live) the pages for our website don't pick up the correct CSS until the user has authenticated (logged on).
So the Logon and Logoff forms look bad, but once inside the site, the CSS works again.
I'm guessing it's some kind of authentication issue? Haven't really looked into it too much because it's only when working on dev so not a huge issue, but would be nice to know how to fix it.
To allow an unauthenticated user to see your .css files (or any other file/directory) you can add a location element to your web.config file pointing to the .css file.
<configuration>
<system.web>
// system.web configuration settings.
</system.web>
<location path="App_Themes/Default/YourFile.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Check and make sure that the CSS file itself is not in an area that you are securing. You can manually exclude the file via the web.config if needed.
I just ran into this problem myself and manually adding the location made no difference. I found that I had given the IIS_IUSRS access to the folders so my application pool had no problem accessing the files but IIS was using the IUSR account for anonymous access.
To fix it, I opened IIS Manager -> IIS: Authentication -> Select 'Anonymous Authentication' -> Click Actions: Edit.. (or right click) -> Select 'Application pool identity'
Now anonymous access attempts use the IIS_IUSRS which have the correct file permissions.
Can you try using a tool like Fiddler or HttpWatch and check if a request actually goes for the .css file from the login page. Verify the return codes are 200. Could be because of relative path issue in your dev box.

Resources