Securing a directory

Discussion in 'ASP .Net Security' started by Simon Harvey, Feb 15, 2004.

  1. Simon Harvey

    Simon Harvey Guest

    Hi everyone,

    I just read an article that said that when you use a web.config file to
    secure a directory, all it can do is secure the asp.net resources in that
    directory - not any non .net resources.
    For ecample, image files, html and asp files would not be secured.

    I didnt actually realise this and it gave me a bit of a fright! Can anyone
    suggest the best way to keep a directory secured in an application using
    Forms Authentication.

    It's not a problem for me at the moment because I havent made a site that
    would be affected, but I'm not really sure how I would ensure a directory
    was totally locked down should the need arise.

    Thanks to anyone who can help

    Kindest Regards

    Simon
    Simon Harvey, Feb 15, 2004
    #1
    1. Advertising

  2. Simon Harvey

    richlm Guest

    Simon
    Yes that is correct - only files with an ASP.NET extension (.aspx, .asmx,...) are processed by the ASP.NET ISAPI extension
    Files with .asp extension are processed by traditional ASP and so on.

    NTFS permissions will be used for static files such as .jpg .txt etc.

    You can see the mappings in the IIS manager - right click on your web site, "properties" then click "configuration" on the virtual directory tab.

    Check this article on MSDN for more info:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp
    richlm, Feb 18, 2004
    #2
    1. Advertising

  3. Simon Harvey

    richlm Guest

    One other thing - you should also run IIS lockdown wizard and install URLscan
    You can configure URLscan to reject requests for file types that you don't want to be directly requestable

    I run URLScan even in my development environment.
    richlm, Feb 18, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. abdulrauf

    securing pages and forms from users

    abdulrauf, Jul 31, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    322
    Eric Wise
    Jul 31, 2003
  2. Ian B
    Replies:
    2
    Views:
    2,219
    Ian B
    Jan 23, 2004
  3. Simon Harvey

    Securing a directory

    Simon Harvey, Feb 15, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    417
    Milan Negovan
    Feb 16, 2004
  4. Dave Kelly

    Securing a server side directory

    Dave Kelly, Apr 18, 2009, in forum: HTML
    Replies:
    2
    Views:
    385
    Beauregard T. Shagnasty
    Apr 19, 2009
  5. Frank
    Replies:
    1
    Views:
    132
    Dominick Baier
    Apr 17, 2008
Loading...

Share This Page