15

I know that IIS7 allows me to have a per directory configuration with the web.config xml file. I have a directory with some configuration files that don't want to be web accessible. A local web.config file forbidding read access to it would be a nice solution.

What should be the contents of a web.config file to forbid web access to the files?

Edit: I'm trying to put a web.config file with these contents in a file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
            <system.web>
                    <authorization>
                            <deny users="*" /> <!-- Denies all users -->
                    </authorization>
            </system.web>
</configuration>

But I can still directly access a file inside the directory. What's wrong with it? How do I debug what's happening?

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
neves
  • 1,160
  • 2
  • 11
  • 16

4 Answers4

12

You're using system.web. In IIS7, you should use system.webServer instead. This will block all types of files, not just ASP.NET files. For example, you can password protect jpg, gif, txt and all types of files.

It would look something like this:

  <system.webServer>
      <security>
          <authorization>
              <remove users="*" roles="" verbs="" />
              <add accessType="Allow" roles="Administrators" />
          </authorization>
      </security>
  </system.webServer>

And if you want to set it for just 1 file:

 <location path="dontlook.jpg">
     <system.webServer>
         <security>
             <authorization>
                 <remove users="*" roles="" verbs="" />
                 <add accessType="Allow" roles="Administrators" />
             </authorization>
         </security>
     </system.webServer>
 </location>
Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55
  • I ran across my own answer over a year later and wanted to add an extra note. You must make sure that either forms or windows auth is enabled too, otherwise only the remove rule will be helpful. If you enabled Windows Authentication then you'll be prompted to enter your credentials. – Scott Forsyth Mar 24 '11 at 18:09
  • +1 Finally! Spent 3 hours finding this! Thank you – hofnarwillie Jun 25 '14 at 09:53
7

i think this can solve your problem.
place this web.config in directory that contain target directory :

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="target directory name"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>
Reza Roshan
  • 71
  • 1
  • 1
4

You can use the Location nodes on the Web.config. Here is a detailed explanation on msdn ; in a nutshell:

<location path="Subdirectory">
    <system.web>
        <authorization>
            <deny users="*"/> <!-- Denies all users -->
        </authorization>
    </system.web>
</location>
<location path="Public_Directory">
    <system.web>
        <authorization>
            <allow users="*"/> <!-- Allows all users -->
        </authorization>
    </system.web>
</location>

You can also use the ? wildcard to specify that you should (allow/deny) anonymous users

  • How this file would block the access to the current directory, but allow to the "css" directory? it is missing the tag around it. – neves Oct 08 '09 at 20:36
  • Your allow only allows authenticated users. If you want unauthenticated users you should include allow users="?" as well. – Nissan Fan Oct 08 '09 at 20:51
0
  • * means every logged in user.
  • ? means anonymous users.

You must use ?.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authorization>
            <deny users="?" /> 
        </authorization>
    </system.web>
</configuration>
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92