restricting IP security - security

Having an issue with restricting IP security.
I have made a web.config file and placed it in the folder I am trying to restrict see below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">
<clear />
<add ipAddress="123.456.789" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
I have also adjusted the applicationHost.config to:
<section name="ipSecurity" overrideModeDefault="Allow" />
However when browsing to a file in that folder I get a 403.
I have restarted IIS and IP address is correct.
What am I missing?

Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.

Related

Location + Path in web.config not working in Azure

Just created a new Asp.Net Core MVC App and published it to Azure.
By adding the location/path element to a web.config and re-publishing the site.... my azure-app is immediately broken.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
</configuration>
Why is the below not working in Azure Web App?
Could you please try the below code, assuming you want to restrict user to access anything under authenticate folder:-
The following web.config example would apply any settings within the elements only to any resources located within the /authenticatedirectory of the site:
<location path="~/authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
If it doesn't work, can you enable the under system.web and let me know what errors are you getting.

How to load index.asp in IIS 7.5

I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

Enable cross site access in OK Hosting?

I'm trying to download the bootsrap fonts from a container I have in a site hosted by OK Hosting. I can download the font manually but when using it in a CSS on a page hosted in another server, it fails because cross site access is disabled.
I know OK Hosting uses IIS but they give you a web based control panel.
How do I enable cross site access?
Ok, you just have to add a file called web.config at the root of your site with the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
You might also need the following just below the Access-Control-Allow-Origin.
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

Sitecore Content Delivery security hardening admin folder

We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>

HTTP Error 404.7 - Not Found The request filtering module is configured to deny the file extension

I'm trying to configure the default webpage for an IIS 7.5 website.
Request filtering is turned on. However .aspx pages are allowed, I've set default.aspx to be the default page for the website.
If I browse to localhost/default.aspx I get a webpage as expected.
IF I browse to localhost/ I get
HTTP Error 404.7 - Not Found
The request filtering module is configured to deny the file extension.
Any ideas?
It looks like the request filtering is actually filtering for a blank file name. Therefore you have to add this to the request filtering block in the web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
It's obvious now, but really I think its a massive gotcha.
More info: IIS 7 Not Serving Files - 404.7 Error
You can resolve by adding:
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
to your Web.Config file
You can resolve this by adding the file extension into the request filtering module of IIS.
Be sure to remove any PostBackURL="MyPage.aspx" from the button on the page. My guess is that when the postbackurl is included, IIS thinks its getting the page as a file. It rejects the .aspx file type by default. You can see this in the page error.
Bad: Creates a 404.7 (notice the PostBackURL)
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" PostBackUrl="MyPage.ascx" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
Good: No error
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />

Resources