Browsers can download assemblies directly from my website's /bin d

[HosedIfSomeoneBadFiguresOutWhoIAm]

Microsoft: If you email my passport account directly, I can give more detailed info & a telephone number to reach me.

I've found that browsers can download dll's directly from my website's bin dir.
In the following examples I've replaced my actual company name with "Mydomain" or "Mycode" etc. to protect my website.

For example, all they need to do is type:
[url]http://Mydomain.com/bin/Some.Web.dll[/url]
into the IE address bar.

For me, this is very bad. It means that an attacker could simply grab assemblies and use .NET Reflector to determine the code. In my case I issue product registration updates through ASP.NET, with the expectation that a user cannot simply find and download the assembly w/ the code to sign the registrations!

Now this only happens with my website hosted through my ISP (I contacted them for help). If I test the same config on a machine at home, it won't let me download the assemblies.

I looked in the web logs and found the following (again, I've replaced my actual website/assembly names to protect my website)
Note that it only let me have the assembly once (HTTP 200 OK). Subsequent requests returned HTTP 404 (Not found). It never returns the expected response HTTP 403.2 (Read access forbidden).

2004-07-01 02:01:41 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - MyCode-tech.com 200 0 28974
2004-07-01 02:24:27 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CL R+1.1.4322) - MyCode-tech.com 404 0 1830
2004-07-01 02:24:32 216.55.191.221 /bin/MyCode.Web.dll - 80 - 67.40.221.149 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CL R+1.1.4322) - MyCode-tech.com 404 0 1830

Any ideas? This is very bad for me!!

Sincerely,
HosedIfSomeoneBadFiguresOutWhoIAm

[[MSFT]]

Hello,

Thank you for the information. Regarding the issue, as you have seen,
ASP.NET will deny the request the DLL files by default. In ASP.NET, all
request will be handled by HttpHanlders, if it find the request is to a
DLL, it will denied it. I think the main problem should be related to the
configurations of your ISP on their IIS server. They may do some "bad"
things on the security settings. We may wait for their response and see
what was going on there. With these information, we can determine if this
is a secury hole.

Regards,

Luke

[[MSFT]]

Yes, the default error should be HTTP Error 403.2 - "Forbidden: Read access
is denied.". It seems they still use some customized configurations. Maybe
you need to reminder them about this.

Luke

[[MSFT]]

Hello,

Any update from the ISP? Is the problem fixed?

Luke