Securing a directory

Ask a Question related to ASP.NET Security, Design and Development.

  1. Simon Harvey #1

    Default Securing a directory

    Hi everyone,

    I just read an article that said that when you use a web.config file to
    secure a directory, all it can do is secure the asp.net resources in that
    directory - not any non .net resources.
    For ecample, image files, html and asp files would not be secured.

    I didnt actually realise this and it gave me a bit of a fright! Can anyone
    suggest the best way to keep a directory secured in an application using
    Forms Authentication.

    It's not a problem for me at the moment because I havent made a site that
    would be affected, but I'm not really sure how I would ensure a directory
    was totally locked down should the need arise.

    Thanks to anyone who can help

    Kindest Regards

    Simon



    Simon Harvey Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Securing the CF administrator
      I'm looking for a way to better secure the CF administrator, which comes up at http://www.domain.com/cfide/administrator/index.cfm because of the...
    2. Securing an ASP.Net application
      Hi, I am writing a web application, and would like to make it secure. By secure I mean, that the data that is transmitted is not altered, and if...
    3. Securing a web service
      Hi. Whats the best practice to secure a webserivce, basically I have already secured the webservice with XHEO however I need the webservice to...
    4. Securing web service
      Hi How can I make sure that no one else can call and receive data from my web methods? Thanks Regards
    5. Securing a php website
      I'm writing a php website. Which type of atacks are usually used against php scripts? Which kind of sent string could result in an intrusion in a...
  2. richlm #2

    Default RE: Securing a directory

    Simon
    Yes that is correct - only files with an ASP.NET extension (.aspx, .asmx,...) are processed by the ASP.NET ISAPI extension
    Files with .asp extension are processed by traditional ASP and so on.

    NTFS permissions will be used for static files such as .jpg .txt etc.

    You can see the mappings in the IIS manager - right click on your web site, "properties" then click "configuration" on the virtual directory tab.

    Check this article on MSDN for more info:
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp[/url]

    richlm Guest
    Reply With Quote Reply With Quote
  3. richlm #3

    Default RE: Securing a directory

    One other thing - you should also run IIS lockdown wizard and install URLscan
    You can configure URLscan to reject requests for file types that you don't want to be directly requestable

    I run URLScan even in my development environment.
    richlm Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139