Why is "SSL Settings" feature delegation disabled by default? - iis

I would like to specify SSL flags in application web.config file. Actually, I would like to get something like this:
<configuration>
...
<location path="">
<system.webServer>
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
</location>
<location path="Public">
<system.webServer>
<security>
<access sslFlags="None" />
</security>
</system.webServer>
</location>
...
</configuration>
But I found that "SSL Settings" feature delegation is disabled by default.
So I'm wondering if it's dangerous to enable this or not. I can't imagine why this can be dangerous... But I'm confused with default IIS settings.

Related

Location + Path in web.config not working in Azure

Just created a new Asp.Net Core MVC App and published it to Azure.
By adding the location/path element to a web.config and re-publishing the site.... my azure-app is immediately broken.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
</configuration>
Why is the below not working in Azure Web App?
Could you please try the below code, assuming you want to restrict user to access anything under authenticate folder:-
The following web.config example would apply any settings within the elements only to any resources located within the /authenticatedirectory of the site:
<location path="~/authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
If it doesn't work, can you enable the under system.web and let me know what errors are you getting.

restricting IP security

Having an issue with restricting IP security.
I have made a web.config file and placed it in the folder I am trying to restrict see below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">
<clear />
<add ipAddress="123.456.789" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
I have also adjusted the applicationHost.config to:
<section name="ipSecurity" overrideModeDefault="Allow" />
However when browsing to a file in that folder I get a 403.
I have restarted IIS and IP address is correct.
What am I missing?
Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.

IIS Limit access to file + Basic Authentication

I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.

Sitecore Content Delivery security hardening admin folder

We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>

IIS7.5 : How to prevent prompt for credentials when folder blocked by URL Authorization

I managed to secure a folder structure with URL authorization in IIS7 with the following :
<location path="Reports">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company1">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User1"/>
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company2">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User2" />
</authorization>
</security>
</system.webServer>
</location>
Now my problem is that when User1 from Company1 tries to access a file from the Company2 folder, it gets prompted for credentials. I would like that he receives an "access denied" message. I tried to add a in the second location tag but without success.
Not possible as far as I can see. You need to at least attempt to verify the user before you can display the access denied (by means of custom errors perhaps). However, before this verification has started, there is also no way to determine which user it is.

Resources