Protect DLL File from being Downloaded?


G

George

VS.NET 2002/VB

My IIS permissions and folder settings show Read and Execute only. Why is it that I can use any
browser and link directly to my DLL file in my BIN folder on my Web site and download it to my
harddrive (as could anyone else who wanted to)? I don't see any other settings in my host's Control
Center Panel that will let me set any other properties for those folders.

How do I prevent this from happening?

Thanks,
George
 
Ad

Advertisements

C

Craig Deelsnyder

VS.NET 2002/VB

My IIS permissions and folder settings show Read and Execute only. Why
is it that I can use any
browser and link directly to my DLL file in my BIN folder on my Web site
and download it to my
harddrive (as could anyone else who wanted to)? I don't see any other
settings in my host's Control
Center Panel that will let me set any other properties for those folders.

How do I prevent this from happening?

Thanks,
George

Do they/you have Directory Browsing enabled? They shouldn't, that's the
easiest way to accidentally expose files....

Try browsing to just 1 of your directories in a web browser. No filename,
just a directory, e.g.

http://mydomain.com/appFolder/

if you get a file listing, tell your host to turn that off or do it
yourself (sounds like you might have that access)...that's not what you
want...
 
G

George

Craig,

I tried browsing to just the BIN folder and got an accessed denied message, so that part seems to be
working right.

However, if I try to link directly to my DLL file using IE6, it obviously trys to execute the file,
and I get some type of error and a list of a couple of debuggers to use.

The real problem comes when I use Netscape or Mozilla Firefox to link to directly to the DLL file,
in which case, they both ask if I want to save it to disk. I say yes, and it downloads it to my
local drive without any problems. This is a very bad thing.

George
 
H

Hermit Dave

yeah but why would you want a hyperlink to your compiled assembly ? at the
end of the day its just a file even though in a hidden directory directly
not accesible.
so its just doing what hyperlinks do... ie point to files that can be opened
or download

--

Regards,

Hermit Dave
(http://hdave.blogspot.com)
George said:
Craig,

I tried browsing to just the BIN folder and got an accessed denied
message, so that part seems to be
working right.

However, if I try to link directly to my DLL file using IE6, it obviously trys to execute the file,
and I get some type of error and a list of a couple of debuggers to use.

The real problem comes when I use Netscape or Mozilla Firefox to link to directly to the DLL file,
in which case, they both ask if I want to save it to disk. I say yes, and it downloads it to my
local drive without any problems. This is a very bad thing.

George
 
G

Guest

Hi,

You'll want to add an entry in the <httpHandlers> section of the
machine.config file on your web server.

Something like this should do I think:

<add verb="*" path="*.dll" type="System.Web.HttpForbiddenHandler"/>

This should use the HttpForbiddenHandler when a request is received for a
DLL file.

Cheers,
Cam
 
L

Lau Lei Cheong

I've got an untested idea.

Have you tried to configure your Web Application setting so that the default
handler for ".dll" extension would be "C:\WINDOWS\System32\inetsrv\404.dll".

It should be able to bar the download, but don't know whether it'll cause
error on your ASP.NET application (for a good chance it won't).

George said:
Craig,

I tried browsing to just the BIN folder and got an accessed denied
message, so that part seems to be
working right.

However, if I try to link directly to my DLL file using IE6, it obviously trys to execute the file,
and I get some type of error and a list of a couple of debuggers to use.

The real problem comes when I use Netscape or Mozilla Firefox to link to directly to the DLL file,
in which case, they both ask if I want to save it to disk. I say yes, and it downloads it to my
local drive without any problems. This is a very bad thing.

George
 
Ad

Advertisements

K

Kevin Spencer

Just disable "Read" permission for the directory in IIS.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
 
G

George

Thanks to everyone for their suggestions.

As Kevin suggested, I went to IIS and disabled the Read Persmissions on the bin folder, and that
solved the problem, without affecting the apps functionality.

George
 
Ad

Advertisements

D

Devdex Developer

Well George seems to be u r checking the best possible ways to save ur
dll from download. Good practice is that your Dll shouldnt name friendly
so other person cant able guess. restrict directory browsing.Liks are
based or requests if u set request.end or such thing (better check) may
b that would help you.
 

Top