On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.
Related
Is there a way to tell IIS to read configurations from a different file than web.config?
Why would anyone do this?
Convenience. When working with static resources like an .aspx, or .js, or an MVC view file, it is often sufficient to hit Refresh in the browser to see the effect of that change.
Also, more specific to our scenario is that we re-use some of our code-base in different flavors of the web site, their differences being defined in their respective .config files, and each of these sites run locally on our development clients.
Getting the change to a different location than the one you are actually working in is somewhat time-consuming: A Publish operation will properly compile and copy the entire web application to the target location, copying the individually changed file manually is often... fiddly.
So what I would like for to be possible is this:
I work on my project in c:\workbench\FlavMaster3000. In this folder I create the various flavors of web.config files:
web.apple.config
web.banana.config
web.cherry.config
I create sites in IIS that represents each flavour and set their directory to the same as above.
https://local-apple/
https://local-banana/
https://local-cherry/
And I would like for IIS to read each site's configurations from the respective flavor of .config.
Is this at all possible, or am I a dreamer with a hopeless dream?
-S
You can put your specific configuration in external file(s) and link those files in your web.config file as shown below. However downside is way web.config is watched for any changes in it and gets applied immediately when you save web.config, these external files will not be monitored and you will require to manually restart app pool.
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings configSource="Myconfigs/myappSettings.config"/>
<connectionStrings configSource="Myconfigs/myconnections.config"/>
<system.web>
<pages configSource="Myconfigs/mypages.config"/>
<profile configSource="Myconfigs/myprofile.config"/>
<httpHandlers configSource="Myconfigs/myhttpHandlers.config"/>
<httpModules configSource="Myconfigs/myhttpModules.config"/>
</system.web>
</configuration>
I've a website running under IIS7. Everything works fine with this website. I've copied the directory and created a clone website on a different port. When I browse to the new website on the different port, I do not get any of the style settings until I log in -- then all appears normally.
The problem appears to do with the ASP.NET Membership/Authorization. I have a web.config in the subdirectories to allow all users (web.config) but the clone website is not using them even though all the config, directories, etc are the same. Only the port is different or non .config settings that IIS 7 uses.
I've discovered the problem but not the whole answer. The directories needed the IUSR permission to work but the original website doesn't have those permissions. It only had IIS_IUSRS. IF anyone can fully explain this behavior and how to fix the problem without granting IUSR then I will award the bounty for that answer.
The answer should be fully explanatory.
One potential issue would be with authorization settings in your config.
Look for something like this:
<location path="MyResourcesFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
The above example would produce the effect that you've described assuming that your resources (css, jscript, etc) were located in a folder named MyResourcesFolder. Check the web.config that's in the actual website and not necessarily the project. This is because your website config may not be the same as your project config if you are using config transformations.
I need to prevent someone from directly accessing a pdf, instead only allowing them to be pulled through the app itself. How can this be done?
Add this to your top-level Web.config to block a folder called Reports (your folder name goes there).
This will allow your application to access Reports/file.pdf but an outside request to yoursite.com/Reports/file.pdf will be blocked.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Reports" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
There are two solutions for doing that:
1- You can put your “UsersUploads” folder outside the website
directory, so if your website exist on “c:\website\example.com” you
can put the “UsersUploads” there “c:\UsersUploads”, Like that IIS has
no control over this folder and its files, And your website code will
still have access to this directory as a normal physical path.
2- Stop IIS from serving this folder:
IIS by default doesn’t server some website folders and files such
App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources,
Web.config,….
Put the files in the app_data folder and then use a HttpHandler to serve the files. You can use url rewriting if you want to hide it and make it look cleaner.
set the permissions on the folder to deny access to whoever. Ask your sys admin guy to create an account and give read access to the folder. Then set impersonation up in the web.config file to use the new account.
Read this
http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx
How can I deny access to particular directory in IIS.
In Apache I could just add .htaccess file:
Order allow,deny
Deny from all
to Logs or cache directory and nobody will allowed to see any content in that directory.
However when I add Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
it works only for files handled by asp and doesn't work for i.e. log.txt.
I don't have access to IIS server, I can only add and change files.
Thanks in advance for help.
In IIS6 when you open folder properties you will see a checkbox labeled "Read". Try unsettling it
If you don't have access to IIS, do you at least have access to the file system? As in, can you set security on folders?
If so, go to the security tab on the particular folder and remove all rights to whatever guest account the site is running under.
Seeing as the only .net file are handled by the .net process and security model under IIS 6 (which you learned), I don't see what else you can do.
One other possibility - that may not work in your application - you could move all non .net files that require permission into the /App_Data/ folder. .Net does seem to just into the pipeline and prevent these files from being loaded. You could stream them instead.
FYI - if you DID have access to IIS this is a good article on how to restrict access to non .net files:
http://quickstarts.asp.net/QuickStartv20/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent
Go to the folder properties in IIS Manager -> Directory Security tab -> Authentication and access control.
Uncheck 'Anonimous access' checkbox and disable all the authentication methods below.
There is no built-in file-based access management like htaccess. This can be achieved using third-party ISAPI modules like Helicon Ape
Trying to prevent access to a specific file, not any files with a certain extention, just one specific file.
The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i'd rather they not be able to see this.
Things I have tried:
1) Putting the file elsewhere
I have a "secure" folder as part of my hosting account. So I figured i'd just change the path to: "..\..\..\SSL\FileName.xml" and move the file there. ASP.NET crashes on this one with the error:
Cannot use a leading .. to exit above the top directory
So I presume that's in place for security purposes.
2) Location in web.config
So next I tried to use this in the web.config:
<location path="FileName.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
This doesn't seem to do anything.... anyone know why? I'm not specifically using ASP.NET authentication in this app, is that why this doesn't work?
3) Using IIS to prevent access
Alas, I do not have access to IIS as I have a terrifically lame hosting account.
So does anyone know what i'm doing wrong with the above attempts or have any alternative solutions I can try?
kthxbye!
Can you add the ASP.Net folder "App_Data" to your application, and put the xml file in there? This folder is specifically meant to hold this type of data and hide it from browsers/users, but keep it within your application scope.
alt text http://img178.imageshack.us/img178/7708/appdata.png
As to why the authorization directive in your web.config file is not working, it's because the ".xml" file extension is not handled by the ASP.Net pipeline. You would need to configure your IIS to send all requests for xml files through the ASP.Net request handlers in order to apply that security directive to it.
IIS Doesn't handle xml files (just post them to requester) and thus security does not work. Surprisingly on Mono platform in would work... anyway, You can make this workarounds:
Store file in really secure folder and access it using aspx page (file name as parameter)
Store file in db and rest like in 1
Store file whatever in Your hosting account folders and give it GUID name, then store GUID and real file name connection in DB and handle file download thru aspx page.