Deny all web access to a directory? (Searched the net already...)

[Guest]

Hi,

[Note: I first posted this to the .security subgroup, but then saw that it
was almost dead, so I am reposting here. Sorry for the dup posts...]

I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.

How can I lockout the database directory to prevent anyone from downloading
the mdb file via HTTP?

I have attached my web.config file at the end of this message.

The problem is that the "database" directory is still viewable by anyone.
Not sure why. No errors. IIS just lets me though. Do I have a typo
somwhere?


Thanks,
David


---------------------------------------------



<configuration>

<system.web>
<customErrors mode="Off"/>

<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>

<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>

<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>

<!-- disallow anon users to this zone-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<!-- Set up secure zone for database -->
<location path="database">
<system.web>

<!-- disallow all users to this zone-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>

</configuration>

 

[Scott M.]

What directory permissions do you have set on the directory that contains
the database?

 

[Steve C. Orr [MVP, MCSD]]

ASP.NET does not (by default) control access to MDB files, it only controls
access to ASP.NET files such as ASPX and ASCX files.
IIS controls other files, so in there you should adjust the Directory
Security for the directory that contains the MDB file.

Alternately, you can configure IIS to allow ASP.NET to control the security
for the MDB file extension, then your Web.Config settings would work for the
MDB file.

 

[Guest]

Ahh,...

So this is out side the realm of asp.net. I see.

Thanks.

ASP.NET does not (by default) control access to MDB files, it only controls
access to ASP.NET files such as ASPX and ASCX files.
IIS controls other files, so in there you should adjust the Directory
Security for the directory that contains the MDB file.

Alternately, you can configure IIS to allow ASP.NET to control the security
for the MDB file extension, then your Web.Config settings would work for the
MDB file.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

Hi,

[Note: I first posted this to the .security subgroup, but then saw that it
was almost dead, so I am reposting here. Sorry for the dup posts...]

I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.

How can I lockout the database directory to prevent anyone from
downloading
the mdb file via HTTP?

I have attached my web.config file at the end of this message.

The problem is that the "database" directory is still viewable by anyone.
Not sure why. No errors. IIS just lets me though. Do I have a typo
somwhere?


Thanks,
David


---------------------------------------------



<configuration>

<system.web>
<customErrors mode="Off"/>

<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>

<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>

<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>

<!-- disallow anon users to this zone-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<!-- Set up secure zone for database -->
<location path="database">
<system.web>

<!-- disallow all users to this zone-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>

</configuration>