I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.
Related
We have tried below code in web.config
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
in your web.config, at the bottom just before the closing configuration tag put the following:
<location path="WebResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="ScriptResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I've recently created an MVC application that leverages Windows Authentication. I have a subdirectory named "EventReceivers" that a want to allow anonymous access on. I've updated my web.config with the proper location element and all works fine on Windows Server 2012 w/ IIS8. However, when I deploy the same project to Azure pack, the files in the EventReceivers directory prompt users for credentials.
Below is my web.config snippet. Any suggestions?
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
</system.web>
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
You must also disable windows authentication within the location element like so:
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
**After login i am not able to access page.After login again redirect to login page.
I am using two level of folder structure. CMS folder contain two folder.
1. User.
2. Admin.
---CMS
----User
----Admin
Means CMS/{USER}{Admin}.**
In main web.config
In main web.config i am set loginurl and allow all user.
<system.web>
<compilation debug="true" targetFramework="4.0">
</compilation>
<authentication mode="Forms">
<forms name="HESCMS1.0" loginUrl="~/CMS/User/Login.aspx" timeout="40" slidingExpiration="true" cookieless="UseCookies" protection="All" requireSSL="false" enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
</system.web>
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
In User folder web.config:
Set role for admin user
<system.web>
<authorization>
<allow roles="CMSUserAdmin" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
In Admin folder web.config:
Set role for super admin.
<system.web>
<authorization>
<allow roles="CMSSuperAdmin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This is my first post in stack so have not so much experience.
For security reasons I want to disable those methods through application level
so I have this web.config file:
<configuration>
<location path="index.php">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
<deny verbs="PROPFIND" users="*" />
<deny verbs="COPY" users="*" />
<deny verbs="LOCK" users="*" />
<deny verbs="UNLOCK" users="*" />
<deny verbs="PROPPATCH" users="*" />
<deny verbs="MKCOL" users="*" />
<deny verbs="MOVE" users="*" />
<deny verbs="DELETE" users="*" />
</authorization>
</system.web>
</location>
</configuration>
But this didn't work - any ideas?
Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering
if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/
This worked for me but only after forcing the specific verbs to be handled by the default handler.
<system.web>
...
<httpHandlers>
...
<add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx
An easy way to test is just to deny GET and see if your site loads.
This one disables all bogus verbs and only allows GET and POST
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
</system.webServer>
For anyone looking for a UI option using IIS Manager.
Open the Website in IIS Manager
Go To Request Filtering and open the Request Filtering Window.
Go to Verbs Tab and Add HTTP Verbs to "Allow Verb..." or "Deny Verb...".
This allow to add the HTTP Verbs in the
"Deny Verb.." Collection.
Request Filtering Window in IIS Manager
Add Verb... or Deny Verb...
I managed to secure a folder structure with URL authorization in IIS7 with the following :
<location path="Reports">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company1">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User1"/>
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company2">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User2" />
</authorization>
</security>
</system.webServer>
</location>
Now my problem is that when User1 from Company1 tries to access a file from the Company2 folder, it gets prompted for credentials. I would like that he receives an "access denied" message. I tried to add a in the second location tag but without success.
Not possible as far as I can see. You need to at least attempt to verify the user before you can display the access denied (by means of custom errors perhaps). However, before this verification has started, there is also no way to determine which user it is.