Restricting access to files within a folder to webservice IIS6/7 - security

I am looking for a way to restrict direct access to a certain folder or folders on our website which is hosted in IIS7 in our second dev environment, IIS6 in our first dev environment and IIS6 on production.
Basically we should be able to link to these files from our website i.e.:
http://www.domain.com/stuff/survey.pdf
But if someone tries to link to this from a blog post, etc. it should not serve the content. Is there any way to do this in a web config or is that beyond the abilities of IIS?

What I ended up doing was writing a PHP script which served content from outside of the web root, but only if the user was logged in and had a valid site cookie.
Then I created folders to replace all the content we were currently serving (.pdf, .png, etc.) since there was not that much that we wanted secured. I name the folder the same as the original document, i.e.: /webroot/survey.pdf/ and then placed the index.php inside of the survey.pdf folder.
This worked, and now we can use the script to link to content that we want secured.

Related

IIS how to view a file stored on the Physical Path on a locally hosted webpage

I have been attempting to access some files I have in a local directory via a locally hosted web site using IIS (Internet Information Services Manager).
The current file types in the folder are CSS, CSV and HTML.
I cannot seem to find any data on these sites, however, I believe something is there as when I change the web URL slightly it states "page can’t be found" rather than showing a blank page.
I have been looking through IIS extensively for a way to make these files ether download/become visible/show file contents/display the HTML
I have the file system set up as both the main website and as another file, under the Default website (as seen below) however, I cannot get either of these two methods to show me the files or anything for that matter.

Protect static files in Classic ASP website

I want to secure static files (images, .txt files) from unauthenticated users. How can I implement the user authentication to the website so that the static files in specific folder also get secured? I have used simple authentication in a login.asp file and started a session for authenticated user and I check the session value for protected .asp files. But I have no idea how to secure static content on Classic ASP website.
The website is hosted on IIS 7 with Integrated pipeline mode.
You already asked this, and I answered it, and I will give you the same answer.
You will need to use BASIC AUTHENTICATION to restrict access on static files in IIS (Classic ASP). Otherwise, you need to save the static content in another format and encrypt it and only make it viewable by people authenticated by your program.
Please don't ask this again, the answers will not be different.
If using Basic Authentification is not your cup of tea, one possibility would be to replace your static files with an ASP file that upon authorization, will output the correct file. If necessary, you can set the ContentType of the Response to the appropriate type. The link http://support2.microsoft.com/kb/173308 show you how to do that with an image stored inside a database but of course, you can take whatever you want as the source of the file. In the case of .TXT files, you can even directly take the file and simply add a small section of ASP code at the beginning for doing the check.
All of this required extra work. There is no way to simply activate some sort of protection with the session state for static files without extra work.
Old question but -- Most MS servers with Classic Asp installed have several default folders which cannot be accessed except via ASP. they are /bin /app_code /app_data and there may be others. It depends on your hosting company. Windows 10 IIS (their cut down dev & test suite) locks these by default. Using ASP code to retrieve and display text and html is very easy but I'm not sure how to do images. If you have very low traffic, one way would be to copy the image file to an unlocked folder and give it a random name, then access it normally in an IMG tag, then delete it after use. (I came here looking for a better method).
Update: The answer to loading images via ASP is here -- displaying images from sql database with classic asp ... see bottom answer by "HeavenCore" and, instead of Response.BinaryWrite rs("ImageBlob"), get the binary of the image into Your variable, eg: BinaryImageData and do Response.BinaryWrite BinaryImageData

IIS denying access to simple HTML file in virtual directory

I'm trying to display simple HTML files in a folder on my web site. No ASP.NET, no application, just a virtual directory. I'm getting "Access denied" in the browser when I try to open a web page.
This is through a hosting provider; I have access through FTP and IIS Manager only.
Authorization Rules show Allow - All Users - Inherited.
I'm far from an expert on IIS, and most search results either suggest checking folder permissions in the file system (which I have no direct access to) or are relevant to applications.
How can I diagnose this?
More information:
Through trial and error, I found out the cause, and worked around it with URL Rewrite. I'd still like to know why it's happening (the root cause) and how to change IIS's behavior.
I'm moving my site from Linux hosting to Windows hosting. Some of the old URLs are of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The ones I'm moving are HTML files, not PHP files, but I tried to mirror the folder structure.
The problem is in the index.php folder name. No matter what I do, even if I enable directory browsing, IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
I've scanned through many of the IIS settings and haven't found any mention of forbidding a .php extension. What's going on?
You need to add permission for IIS users.Try adding permission to the folder by adding user
IIS_IUSRS and give required permission .
1.Right click on folder, go to properties
2.Go to security tab
3.Click on Edit, if you don't see IIS_IUSRS in the user list who have permission
4.Click on Add , In the box , add IIS_IUSRS and click on check names, it will
get the qualified name .
5.Click OK and apply
Hopefully it should work then
Through trial and error, I found out the cause, and worked around it with URL Rewrite.
For URLs of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The problem is in the index.php folder name. IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
This is reminiscent of Joomla virtual (SEO) URLs. I'm assuming that you don't really have static files at all, but the CMS program running your site parses this information after the "index.php" as parameters for a database query to create the html page on the fly. In this case, the only file that's really being served by the web server is index.php, and the program includes other php files depending on the parameters entered. You're on the right track though, with creating a small file on the destination server and try to load it, but this means the index.php directory structure is moot.

IIS7 - How to password protect a single folder using a Web.config file?

I have a folder that contains log files. They're not super critical, but I don't want total strangers looking through them. I'd like to put a password on that one folder. The folder and its contents are served straight up from IIS, so I'm not looking for a coding solution.
With Apache I'd use a .htaccess file.
With IIS it's possible to use multiple Web.config files at various levels to control this kind of thing.
So, what goes in the Web.config file that allows me to require a password when accessing this folder?
I'm happy for the password to pop up in a dialog like old-school websites used to do (not sure what this is called -- I think it is digest authentication) and so avoid any loginUrl redirection stuff
I'm happy to put the password in the Web.config file in plain text if it's easier
The application is internet facing and running on shared hosting, so I don't have much control over the box beyond what I can configure in Web.config.
You can achieve this using the <location path="..."/> element of web.config file.
Check this link for step-by-step instructions..

Secure file downloads in dotnetnuke

I'm relatively new to dotnetnuke and am trying to set up a simple site which will have multiple user groups with their own set of files and then another user that has access to all files.
I'm currently playing with doing this with the "documents" module and hiding the module from all but the everything user and the specific company user. This works fine but the security seems to be just security by obscurity.
If I log in as User A and get access to file A and copy its url. I then log out and log in as user B who can't see that file. If I then put the file url into the browser it seems to download fine.
Can anybody tell me if I am doign something wrong or is there no actual user based security on file downloads? I've tried goign to the actual file manager and making the directories explicitly not viewable to user B (they are secure directories too) but still it persists. Am I missing a permissions option at the file level somewhere or is the security designed to just prevent you finding the right links to the files? I'll admit the links aren't guessable (no sequential ids in the url or anything silly like that) but I'm still a little uncomfortable with the security working like this...
DNN FileManager Module
Hi Chris,
Please check out the FileManager module per above link. You are correct that the current FileManager module does not allow access per user roles. You might check Snowcovered for possible substitutes?
It seems that I was doing something wrong. I was referencing a different version of the file which didn't have any permissions attached to it. It seems also that I don't need to have multiple documents modules since if a file doesn't have read permission it will just be hidden in the list.
So to summarise the DNN Documents module will do role based security to prevent unauthorised users from downloading the file and from seeing it in the documents view.
Documents module provides security for LinkClick.aspx urls that are routed to ASP.NET.
If the actual files reside in the file system under the site's root folder, direct urls to these files are served and secured by IIS.
To prevent unauthorized access to direct urls you can disable anonymous authentication and set up Basic authentication with NTFS permissions, for example.
If don't want to touch IIS and administer Windows accounts, you can't store the files directly under any publicly available IIS folder. Security at the ASP.NET application-level is implemented using file encryption or storing the files outside the public IIS folders, like in the database. DNN File Manager offers both of these options: secure folders in the file system and secure folders in the database.
There are also 3rd party modules to manage file security and sharing, like NukeTransfer.

Resources