Deny acces to any directory for everyone web.config - iis

I wan't to deny acces to the directories for everyone in web.config. Is this possible? Or should be an Deny from ALL enough? I host this on a IIS server.

<location path="folder">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

Related

Allow/Deny users using web.config in Azure app service

I have got an app service with 3 virtual paths shown below.
Virtual path Physical path Type
/ site\wwwroot Application
/app2 site\wwwroot\app2 Application
/app3 site\wwwroot\app3 Application
How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.
Allow sg1 to have access to my root /.
Allow sg2 to to have access to my root & /app2.
Allow sg3 to to have access to my root & /app3.
In my on-prem IIS box i was able to do something like below to control access.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="app2">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="app3">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg3"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can I replicate this in Azure app services?
I tried a simple base case, as per below. I can go to my / fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred., when browsing to /app2
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="app2">
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<allow roles="GLOBAL\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Please help :(
Can I replicate this in Azure app services?
No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.
Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

How we can close webresource.axd and scriptresource.axd vulnerability in asp.net.?

We have tried below code in web.config
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
in your web.config, at the bottom just before the closing configuration tag put the following:
<location path="WebResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="ScriptResource.axd">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

IIS Limit access to file + Basic Authentication

I have a simple internal site using IIS 8.5 Basic Authentication.
In one specific html file I want to restrict even further to some users/roles.
UPDATE: This is my Web.config, I can still access the inhouse.html file in a browser with my Windows (LDAP) account. I want to block all users to access this. Then to only allow a few users.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
</system.web>
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</system.web>
</location>
</configuration>
Try this:
<location path="inhouse.html">
<system.web>
<authorization>
<remove users="*" roles="" verbs="" />
--add the users you want here.
</authorization>
</system.web>
</location>
It depends on the rest of your web.config as to whether system.webserver or system.web applies.

IIS7.5 : How to prevent prompt for credentials when folder blocked by URL Authorization

I managed to secure a folder structure with URL authorization in IIS7 with the following :
<location path="Reports">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company1">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User1"/>
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company2">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User2" />
</authorization>
</security>
</system.webServer>
</location>
Now my problem is that when User1 from Company1 tries to access a file from the Company2 folder, it gets prompted for credentials. I would like that he receives an "access denied" message. I tried to add a in the second location tag but without success.
Not possible as far as I can see. You need to at least attempt to verify the user before you can display the access denied (by means of custom errors perhaps). However, before this verification has started, there is also no way to determine which user it is.

Forms Authentication & Virtual Directory

We're having trouble getting Forms Authentication to work with a virtual directory in IIS.
We have a main site, and then a microsite setup within a virtual directory. This mircosite has its own admin system within an "Admin" folder, which has authentication on it but currently it is not kicking in and the admin section is browsable by anyone.
The web.config with the admin folder has the following:
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<customErrors mode="RemoteOnly" defaultRedirect="~/Admin/Error.aspx"/>
</system.web>
</configuration>
Could anyone give me any clues as to why this might not be working?
Cheers!
What happens if you set this in the web.config at the root of your site instead:
<location path="MicroSite/Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

Resources