IIS denying access to simple HTML file in virtual directory - iis

I'm trying to display simple HTML files in a folder on my web site. No ASP.NET, no application, just a virtual directory. I'm getting "Access denied" in the browser when I try to open a web page.
This is through a hosting provider; I have access through FTP and IIS Manager only.
Authorization Rules show Allow - All Users - Inherited.
I'm far from an expert on IIS, and most search results either suggest checking folder permissions in the file system (which I have no direct access to) or are relevant to applications.
How can I diagnose this?
More information:
Through trial and error, I found out the cause, and worked around it with URL Rewrite. I'd still like to know why it's happening (the root cause) and how to change IIS's behavior.
I'm moving my site from Linux hosting to Windows hosting. Some of the old URLs are of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The ones I'm moving are HTML files, not PHP files, but I tried to mirror the folder structure.
The problem is in the index.php folder name. No matter what I do, even if I enable directory browsing, IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
I've scanned through many of the IIS settings and haven't found any mention of forbidding a .php extension. What's going on?

You need to add permission for IIS users.Try adding permission to the folder by adding user
IIS_IUSRS and give required permission .
1.Right click on folder, go to properties
2.Go to security tab
3.Click on Edit, if you don't see IIS_IUSRS in the user list who have permission
4.Click on Add , In the box , add IIS_IUSRS and click on check names, it will
get the qualified name .
5.Click OK and apply
Hopefully it should work then

Through trial and error, I found out the cause, and worked around it with URL Rewrite.
For URLs of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The problem is in the index.php folder name. IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.

This is reminiscent of Joomla virtual (SEO) URLs. I'm assuming that you don't really have static files at all, but the CMS program running your site parses this information after the "index.php" as parameters for a database query to create the html page on the fly. In this case, the only file that's really being served by the web server is index.php, and the program includes other php files depending on the parameters entered. You're on the right track though, with creating a small file on the destination server and try to load it, but this means the index.php directory structure is moot.

Related

Directory browsing disable in IIS however application log files were disclosed within the ‘log’ folder

I set the Directory Browsing to false in IIS. After that it is not possible to list files in directories on website. It works! However I can browse the file path through the http link. The following example screenshot below shows that sensitive information such as application log were disclosed within the ‘log’ folder through directory listing of the web server
How to disable file browsing also?
You can set permissions for these files so that users don’t have access. Click on your website in the sites and right-click find switch to the content view, you can see your website documents and then edit the permissions for the file. You can directly select the hidden option in the attributes. In this way, the visiting user will not be able to see it.

IIS 8.5 is not serving JS, CSS, and Image files (static content)

The problem
We're running IIS on Windows 8.1 with Update. We're at the Orchard CMS first time setup screen, and IIS is giving 401s for all static content. We have read the following to no avail:
IIS 7.5 no images css js showing
IIS 7.5 no images css js showing
The official Orchard deployment documentation
Based on those, this is what I have tried that doesn't work.
Turn on the IIS feature to Serve Static Content.
Give IIS_IUSRS permission to Read, write & execute.
Give the site's application pool permission to Read, write & execute.
What does work though is the nuclear option: to give Everyone the Read permission (unless we want to proceed with the Orchard setup; then we need to give Everyone even more permissions.) That leads me to believe that I must give permission to some principle with less scope than Everyone but more scope than both IIS_IUSRS and the application pool combined.
Who/what is that principle?
Pictures to show the problem
We receive a 401 on ..\Themes\SafeMode\Styles\site.css
The task manager confirms that the site is running as the orchard user.
The security properties of the ..\Themes\SafeMode\Styles\ directory gives Read permission to orchard.
Why does it only work when we give Read permission to Everyone?
I had a similar problem. Under authentication, I right clicked "Anonymous Authentication" and clicked "Edit". That shows a dialog giving you the ability to set the identity of the anonymous user. I set it to "Application pool identity" and that fixed the problem for me.
.
This may not be the most secure configuration though, but I'm on a dev server so I don't care.
Try turn on the Static Content and Directory Browsing features under Internet Information Services->World Wide Web Services->Common HTTP Features node.
In my case I had to set Read permission for IUSR user for the web site folder.
So, what I had to do to fix this problem was the following:
(and please understand, that this is not ASP or PHP script related, the server wouldn't even show basic simple .html files, yet would serve out PHP results all day long!)
Two fold…
Had to set the application pool for each site, under advanced settings, to use LocalSystem for it’s process
Under site, advanced settings, security, add the IUSR account to have read & list contents access, for the site… :-)
See any problems with doing that?
'cuz it's working....
Updating windows feature for WWW services/Common Http Features/static content by selecting Static Content checkbox fixed my IIS not service static content issue.
Open IIS -> go to advanced settings of selected website and open Physical Path Credentials -> Select specific user and enter your local user credentials. Open below screenshot for further visualising the things:
IIS Settings

My .htaccess is changed over and over and over

I hope you can help me, I have a website and constantly the .htaccess file is hacked to redirect to another page, every time I delete that file, when I check the file after 5 minutes, again the file is written to redirect to a page with malware, I changed passwords of sftp, the page itself and the database several times from different computers with windows and linux but this file is constantly changed in the main page and creating hacked .htaccess in the subdirectories, Why does this keep happening? HELP
The web page is hosted in Dreamhost.
If the permissions on your .htaccess file are set so that only you can modify it, then you will find one of the following:
An entry in your FTP access log showing .htaccess being uploaded
An entry in the control panel access log showing the .htaccess being edited
An entry in your HTTP access log at the time that the modification happens (often a POST, but not necessarily). This is often to a generalised backdoor process of some sort.
A crontab entry that makes this modification
Additionally, you will find that your site was hacked somehow - e.g. insecure version of JCE editor, poor passwords, nonumber extensions, flash uploader, failure to update for known security problems, or similar. It's all in the logs. You will also find that there are a stack of little PHP files or an extra admin account which will let the attacker back once you sort out the obvious part of the problem.

Restricting access to files within a folder to webservice IIS6/7

I am looking for a way to restrict direct access to a certain folder or folders on our website which is hosted in IIS7 in our second dev environment, IIS6 in our first dev environment and IIS6 on production.
Basically we should be able to link to these files from our website i.e.:
http://www.domain.com/stuff/survey.pdf
But if someone tries to link to this from a blog post, etc. it should not serve the content. Is there any way to do this in a web config or is that beyond the abilities of IIS?
What I ended up doing was writing a PHP script which served content from outside of the web root, but only if the user was logged in and had a valid site cookie.
Then I created folders to replace all the content we were currently serving (.pdf, .png, etc.) since there was not that much that we wanted secured. I name the folder the same as the original document, i.e.: /webroot/survey.pdf/ and then placed the index.php inside of the survey.pdf folder.
This worked, and now we can use the script to link to content that we want secured.

Secure file downloads in dotnetnuke

I'm relatively new to dotnetnuke and am trying to set up a simple site which will have multiple user groups with their own set of files and then another user that has access to all files.
I'm currently playing with doing this with the "documents" module and hiding the module from all but the everything user and the specific company user. This works fine but the security seems to be just security by obscurity.
If I log in as User A and get access to file A and copy its url. I then log out and log in as user B who can't see that file. If I then put the file url into the browser it seems to download fine.
Can anybody tell me if I am doign something wrong or is there no actual user based security on file downloads? I've tried goign to the actual file manager and making the directories explicitly not viewable to user B (they are secure directories too) but still it persists. Am I missing a permissions option at the file level somewhere or is the security designed to just prevent you finding the right links to the files? I'll admit the links aren't guessable (no sequential ids in the url or anything silly like that) but I'm still a little uncomfortable with the security working like this...
DNN FileManager Module
Hi Chris,
Please check out the FileManager module per above link. You are correct that the current FileManager module does not allow access per user roles. You might check Snowcovered for possible substitutes?
It seems that I was doing something wrong. I was referencing a different version of the file which didn't have any permissions attached to it. It seems also that I don't need to have multiple documents modules since if a file doesn't have read permission it will just be hidden in the list.
So to summarise the DNN Documents module will do role based security to prevent unauthorised users from downloading the file and from seeing it in the documents view.
Documents module provides security for LinkClick.aspx urls that are routed to ASP.NET.
If the actual files reside in the file system under the site's root folder, direct urls to these files are served and secured by IIS.
To prevent unauthorized access to direct urls you can disable anonymous authentication and set up Basic authentication with NTFS permissions, for example.
If don't want to touch IIS and administer Windows accounts, you can't store the files directly under any publicly available IIS folder. Security at the ASP.NET application-level is implemented using file encryption or storing the files outside the public IIS folders, like in the database. DNN File Manager offers both of these options: secure folders in the file system and secure folders in the database.
There are also 3rd party modules to manage file security and sharing, like NukeTransfer.

Resources