General discussion

Locked

Directory Security In IIS

By sdfgsdf ·
I am building a members-only site accessed through my main website hosted with in IIS. i have built an .asp script to verify users against an access/sql database and reference it on any page i want protected. how can i protect my 'download' folder as well? if anyone knows the exact path, they could go straight there, bypassing my authentication method. here's the catch... i cant use the ACL. many of the users to connect are on multiple OS/NOS platforms AND behind corporate firewalls, barring the ability to authenticate against a win2k domain. in the interum, i have been using PGP-self decrypting downloads as well as randon generated filenames/directories. i still want to protect the 'download' dir altogether. any ideas? by the way, ftp hasthe same problem as well. it requires a user account in the ACL.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Directory Security In IIS

by nadesdan In reply to Directory Security In IIS

Try using session variables in your asp pages (global.asa).
When a user logs on he/she will be given a session variable such as session.loggedin = true) and if session.loggedin = false it will redirect the user to the login page.

Collapse -

Directory Security In IIS

by sdfgsdf In reply to Directory Security In IIS

Poster rated this answer

Collapse -

Directory Security In IIS

by nadesdan In reply to Directory Security In IIS

Try using session variables in your asp pages (global.asa).
When a user logs on he/she will be given a session variable such as session.loggedin = true) and if session.loggedin = false it will redirect the user to the login page.

Collapse -

Directory Security In IIS

by sdfgsdf In reply to Directory Security In IIS

Poster rated this answer

Collapse -

Directory Security In IIS

by Bobby Z. In reply to Directory Security In IIS

If I understood right, download folder is Windows folder or IIS virtual folder which can be accessed directly by constructing an URL like this:

http://server.domain.com/some/path/to/downloads/

If this is the case, you should configure IIS to deny directory listings (read manual on how to do it, it's a matter of one mouse click). Visitor will be unable to see folder contents then and will get error response if there is no default document in the folder. And you can also add a default document there that will be accessed when no exact document was specified in the URL and check if visitor is logged in before giving him directory list.

By the way, having users being authenticated via ACL doesn't mean they all have to have Windows+IE on their machines. You just have to require Basic authentication and disable Windows NT Challenge/Response in Folder Properties -> Directory Security - IIS will check basic auth against NTFS ACL also as it doesn't support .htaccess. The penalty here is that password is sent in clear text (salted of course) and there's possibility that it will be intercepted and cracked (though all webservers in the world use this auth scheme and I haven't heard of cases basic auth passwords were intercepted and cracked)... If you're not paranoid, basic auth is quite enough.

Collapse -

Directory Security In IIS

by sdfgsdf In reply to Directory Security In IIS

Poster rated this answer

Collapse -

Directory Security In IIS

by rraheb In reply to Directory Security In IIS

You can do the following:

Disable access to that folder through IIS (i.e. do not make it a website). Then what you can do is to dynamically create a page that has links to the files once you are sure that the user is an authorized one. (using ASP).

You can find some helpful information in this link:

http://15seconds.com/issue/000413.htm

You'll also find a lot of similar articles in the site:

http://15seconds.com

in the "security" section.

Hope this helps you out.

RafikEl-Raheb.

Collapse -

Directory Security In IIS

by sdfgsdf In reply to Directory Security In IIS

Poster rated this answer

Collapse -

Directory Security In IIS

by sdfgsdf In reply to Directory Security In IIS

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Operating Systems Forums