General discussion

  • Creator
    Topic
  • #2076905

    Directory Security In IIS

    Locked

    by sdfgsdf ·

    I am building a members-only site accessed through my main website hosted with in IIS. i have built an .asp script to verify users against an access/sql database and reference it on any page i want protected. how can i protect my ‘download’ folder as well? if anyone knows the exact path, they could go straight there, bypassing my authentication method. here’s the catch… i cant use the ACL. many of the users to connect are on multiple OS/NOS platforms AND behind corporate firewalls, barring the ability to authenticate against a win2k domain. in the interum, i have been using PGP-self decrypting downloads as well as randon generated filenames/directories. i still want to protect the ‘download’ dir altogether. any ideas? by the way, ftp hasthe same problem as well. it requires a user account in the ACL.

All Comments

  • Author
    Replies
    • #3779176

      Directory Security In IIS

      by nadesdan ·

      In reply to Directory Security In IIS

      Try using session variables in your asp pages (global.asa).
      When a user logs on he/she will be given a session variable such as session.loggedin = true) and if session.loggedin = false it will redirect the user to the login page.

    • #3779177

      Directory Security In IIS

      by nadesdan ·

      In reply to Directory Security In IIS

      Try using session variables in your asp pages (global.asa).
      When a user logs on he/she will be given a session variable such as session.loggedin = true) and if session.loggedin = false it will redirect the user to the login page.

    • #3785768

      Directory Security In IIS

      by bobby z. ·

      In reply to Directory Security In IIS

      If I understood right, download folder is Windows folder or IIS virtual folder which can be accessed directly by constructing an URL like this:

      http://server.domain.com/some/path/to/downloads/

      If this is the case, you should configure IIS to deny directory listings (read manual on how to do it, it’s a matter of one mouse click). Visitor will be unable to see folder contents then and will get error response if there is no default document in the folder. And you can also add a default document there that will be accessed when no exact document was specified in the URL and check if visitor is logged in before giving him directory list.

      By the way, having users being authenticated via ACL doesn’t mean they all have to have Windows+IE on their machines. You just have to require Basic authentication and disable Windows NT Challenge/Response in Folder Properties -> Directory Security – IIS will check basic auth against NTFS ACL also as it doesn’t support .htaccess. The penalty here is that password is sent in clear text (salted of course) and there’s possibility that it will be intercepted and cracked (though all webservers in the world use this auth scheme and I haven’t heard of cases basic auth passwords were intercepted and cracked)… If you’re not paranoid, basic auth is quite enough.

    • #3785745

      Directory Security In IIS

      by rraheb ·

      In reply to Directory Security In IIS

      You can do the following:

      Disable access to that folder through IIS (i.e. do not make it a website). Then what you can do is to dynamically create a page that has links to the files once you are sure that the user is an authorized one. (using ASP).

      You can find some helpful information in this link:

      http://15seconds.com/issue/000413.htm

      You’ll also find a lot of similar articles in the site:

      http://15seconds.com

      in the “security” section.

      Hope this helps you out.

      RafikEl-Raheb.

    • #3782316

      Directory Security In IIS

      by sdfgsdf ·

      In reply to Directory Security In IIS

      This question was closed by the author

Viewing 4 reply threads