|
Securing a directory
Hi everyone,
I just read an article that said that when you use a web.config file to secure a directory, all it can do is secure the asp.net resources in that directory - not any non .net resources. For ecample, image files, html and asp files would not be secured. I didnt actually realise this and it gave me a bit of a fright! Can anyone suggest the best way to keep a directory secured in an application using Forms Authentication. It's not a problem for me at the moment because I havent made a site that would be affected, but I'm not really sure how I would ensure a directory was totally locked down should the need arise. Thanks to anyone who can help Kindest Regards Simon |
RE: Securing a directory
Simon
Yes that is correct - only files with an ASP.NET extension (.aspx, .asmx,...) are processed by the ASP.NET ISAPI extension Files with .asp extension are processed by traditional ASP and so on. NTFS permissions will be used for static files such as .jpg .txt etc. You can see the mappings in the IIS manager - right click on your web site, "properties" then click "configuration" on the virtual directory tab. Check this article on MSDN for more info: http://msdn.microsoft.com/library/de...cnetlpMSDN.asp |
RE: Securing a directory
One other thing - you should also run IIS lockdown wizard and install URLscan
You can configure URLscan to reject requests for file types that you don't want to be directly requestable I run URLScan even in my development environment. |
| All times are GMT. The time now is 03:52 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.