G
Guest
Hi,
[Note: I first posted this to the .security subgroup, but then saw that it
was almost dead, so I am reposting here. Sorry for the dup posts...]
I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.
How can I lockout the database directory to prevent anyone from downloading
the mdb file via HTTP?
I have attached my web.config file at the end of this message.
The problem is that the "database" directory is still viewable by anyone.
Not sure why. No errors. IIS just lets me though. Do I have a typo
somwhere?
Thanks,
David
---------------------------------------------
<configuration>
<system.web>
<customErrors mode="Off"/>
<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>
<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>
<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>
<!-- disallow anon users to this zone-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!-- Set up secure zone for database -->
<location path="database">
<system.web>
<!-- disallow all users to this zone-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
[Note: I first posted this to the .security subgroup, but then saw that it
was almost dead, so I am reposting here. Sorry for the dup posts...]
I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.
How can I lockout the database directory to prevent anyone from downloading
the mdb file via HTTP?
I have attached my web.config file at the end of this message.
The problem is that the "database" directory is still viewable by anyone.
Not sure why. No errors. IIS just lets me though. Do I have a typo
somwhere?
Thanks,
David
---------------------------------------------
<configuration>
<system.web>
<customErrors mode="Off"/>
<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>
<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>
<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>
<!-- disallow anon users to this zone-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!-- Set up secure zone for database -->
<location path="database">
<system.web>
<!-- disallow all users to this zone-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>