Re: Securing Non ASP.Net Files
From: Joseph Geretz (jgeretz@nospam.com)
Date: 03/13/03
- Next message: Calishar: "Making .net handle IIS authentication (not simple)"
- Previous message: Joe Reazor: "Re: Securing Non ASP.Net Files"
- In reply to: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Next in thread: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Reply: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joseph Geretz" <jgeretz@nospam.com> Date: Thu, 13 Mar 2003 15:45:34 -0500
I'm still confused, but maybe it's just me. please bear with me.
For both ASP and ASPX pages there are two activities which you might wish to
deny. (Well more than just two, but let's just deal with two for now.)
1. Script Download (script source is viewable in the browser).
2. Script Execution (on the server, script output (not source) is returned
to the browser).
>From what I understand, you'd like to disallow #1, but still allow #2?
In order to ensure that scripts may not be downloaded, there's really
nothing you need to do, above and beyond the way IIS will natively treat ASP
and ASPX files. Natively, IIS will execute both of these files on the server
via their related ISAPI filters.
You indicated that after changing some settings to explicitly forbid ASP
access, the scripts are being downloaded to the client browser. Which is
(obviously) not what you, or any site administrator, wants to happen. If you
have ASP scripts resident on a site, I am imagining that you want them to
execute on the server upon request. If you don't want these scripts to run
at all, why not just remove them from the site? Or, you can mark them via
IIS to disallow anonymous access.
Now back to your original question. You indicate that you'd like to secure a
particular site. You can do this through IIS itself. In which case, all
resources accessed via a particular virtual directory would be secured
without regard to the type of file. It sounds to me like you have an interim
situation here, while you are converting an ASP application to ASPX? Why not
use IIS security facilities? Since IIS is the common denominator here it
will secure all your resources regardless of whther they are ASP, ASPX,
GIF's, etc.
(Understand also, that the original technique you attempted, which is to use
.NET to block access to various file types is not appropriate if you want to
protect a file from download, but still want to allow it to execute on the
server in response to a user request.)
Hope this helps. Please clarify, if I've misunderstood your situation.
Thanks,
Joseph Geretz
"Joe Reazor" <joenospam@belgor.com> wrote in message
news:#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl...
> No, that's not what I want. I need to secure ALL files in a given
directory
> regardless of their extension. So while I am in the process of converting
> asp pages to aspx pages I need something that is going to limit the access
> to both. I figured using .net security would work. Does anybody have an
> answer to my original question? I can't imagine I'm the first person
trying
> to do this.
>
>
> ==============
> Joe Reazor
> Gorbel Inc.
> email: joereaATgorbelDOTcom
>
>
> "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> news:uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl...
> > Hi Joe,
> >
> > Why have you 'protected' .asp pages? .asp pages and .aspx pages are
simply
> > handled by two different ISAPI filters (or is it an extension?
> whatever...).
> > You don't need to do anything to protect ASP scripts even if they're
> > co-mingled with ASPX scripts. IIS won't serve the .asp scripts up in any
> > case. Rather, the .asp script will be passed off to the ASP ISAPI which
> will
> > process the script and return the *resulting output* to the client.
> >
> > Isn't that what you want?
> >
> > - Joe Geretz -
> >
> > "Joe Reazor" <joenospam@belgor.com> wrote in message
> > news:uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl...
> > > Thanks for the response. I think I have this much set-up. The
problem
> I
> > am
> > > having now is that the *.asp pages that I have protected are not
getting
> > > served up. It's indicating that they are explicitly forbidden, and
I'm
> > not
> > > sure why. Is there a way to allow them through the ASP.Net isapi dll
> and
> > if
> > > so will they then automatically be processed by the normal asp dll?
> > >
> > > Thanks.
> > >
> > > ==============
> > > Joe Reazor
> > > Gorbel Inc.
> > > email: joereaATgorbelDOTcom
> > >
> > >
> > > "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
message
> > > news:k7y4FTE6CHA.2768@cpmsftngxa06...
> > > > Hello Joe,
> > > > By default ASP.NET is configured to intercept and to stop
requests
> > for
> > > > several different
> > > > file types that are used in ASP.NET applications. These file types
are
> > > ones
> > > > that must not be retrieved by users. These file types include
.config
> > > files
> > > > that store configuration information for the application and .cs
files
> > > that
> > > > store the source code of the application. ASP.NET ensures the
privacy
> of
> > > > these
> > > > files by associating both file types with
> > System.Web.HttpForbiddenHandler.
> > > > System.Web.HttpForbiddenHandler returns an error to the user who
> > requests
> > > > the
> > > > file. This method of protecting files can be used for any file type.
> > This
> > > > method is useful for protecting files that exist in the folder of
the
> > Web
> > > > application and must never be retrieved by users.
> > > >
> > > > Microsoft Internet Information Services (IIS) 5.0 determines how
> > > > to handle requests based on the script mapping for the file name
> > extension
> > > > of
> > > > the request. These script mappings are adjusted by using Internet
> > Services
> > > > Manager. For ASP.NET to block file types, you must first configure
IIS
> > 5.0
> > > > to
> > > > forward those requests to ASP.NET. To add additional file types to
an
> > > > ASP.NET application to protect certain
> > > > file types, follow these steps:
> > > >
> > > > 1. On the taskbar click "start", point to "Settings", and then click
> > > > "Control Panel".
> > > > 2. Double-click to open the "Administrative Tools" folder and then
> > > > double-click to run " Internet Services Manager".
> > > > 3. Right-click the virtual server or the virtual folder that contain
> > your
> > > > ASP.NET application and then click "Properties".
> > > > 4. Select the "Home Directory" or the "Directory" tab. If an
> application
> > > > has not been created for the virtual folder, click "Create"
> > > > under "Application Settings".
> > > > 5. Under "Application Settings", click "Configuration".
> > > > 6. To identify the location of the Aspnet_isapi.dll file that
handles
> > the
> > > > ASP.NET requests, select the ".aspx application mapping" and then
> > > > click "Edit".
> > > > 7. The "Add/Edit Application Extension Mapping" dialog box appears.
> > Select
> > > > the text in the "Executable" field and then press CTRL+C to copy
> > > > the text to your Clipboard.
> > > > 8. Click "Cancel" to return to the "Application Configuration
"dialog
> > box.
> > > > 9. Now, add application mappings for each extension that you want
> > ASP.NET
> > > > to block. To do this, click "Add". Then, in the "Executable"
> > > > field, press CTRL+V to paste the path of your Aspnet_isapi.dll file.
> > > > 10. In the "Verbs" section, select the "All Verbs" option. Verify
that
> > the
> > > > "Script Engine" check box is selected and that the "Check If File
> > > > Exists" check box is not selected.
> > > > 11. Click "OK".
> > > > 12. Repeat this procedure for every file name extension that you
want
> to
> > > > have processed by ASP.NET.
> > > >
> > > > Configure a File Type That You Want Blocked
> > > > -------------------------------------------
> > > >
> > > > To block additional file types for an ASP.NET application, follow
> these
> > > > steps:
> > > >
> > > > 1. Open the Web.config file in a text editor such as Notepad. The
> > > > Web.config file is located in the root directory of your Web
> > > > application.
> > > > 2. In the Web.config file add the <httpHandlers> configuration
element
> > > > under the <system.web> element. Note You must not copy the
> > > > <httpHandlers> element from the Machine.config file. The reason you
> must
> > > > not copy the <httpHandlers> element is because the <httpHandlers>
> > > > element permits you to add additional file types without completely
> > > > overriding the Machine.config settings.
> > > > 3. In the <httpHandlers> element, use <<add>> sub tags to specify
> > > > additional file types that you want blocked.
> > > > Set the verb attribute equal to ?*?. When you do this, you specify
> that
> > > all
> > > > types of HTTP requests are blocked. Define the path attribute
> > > > as a wildcard character that matches the types of files you want to
> > block.
> > > > For example, you may specify <?*.mdb?>. Finally, set the type
attribut
> e
> > to
> > > > <?System.Web.HttpForbiddenHandler">. The code sample that follows
> shows
> > > how
> > > > to configure the "httpHandlers" section in the Web.config file:
> > > >
> > > > <system.web>
> > > > <httpHandlers>
> > > > <add verb="*" path="*.mdb"
> > type="System.Web.HttpForbiddenHandler"
> > > > />
> > > > <add verb="*" path="*.csv"
> > type="System.Web.HttpForbiddenHandler"
> > > > />
> > > > <add verb="*" path="*.private"
> > > > type="System.Web.HttpForbiddenHandler" />
> > > > </httpHandlers>
> > > > </system.web>
> > > >
> > > > 4. Save the Web.config file. The ASP.NET application automatically
> > > restarts.
> > > >
> > > >
> > > > Thanks,
> > > > Bassel Tabbara
> > > > Microsoft, ASP.NET
> > > >
> > > > This posting is provided "AS IS", with no warranties, and confers no
> > > rights.
> > > >
> > > >
> > > > --------------------
> > > > | From: "Joe Reazor" <joenospam@belgor.com>
> > > > | Subject: Securing Non ASP.Net Files
> > > > | Date: Tue, 11 Mar 2003 16:35:11 -0500
> > > > | Lines: 14
> > > > | X-Priority: 3
> > > > | X-MSMail-Priority: Normal
> > > > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > > > | Message-ID: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
> > > > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > > > | NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
> > > > | Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > > > | Xref: cpmsftngxa06
> > > microsoft.public.dotnet.framework.aspnet.security:4295
> > > > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > > > |
> > > > | I am trying to use .Net, specifically the Web.Config file, to
secure
> a
> > > > | website that contains ASP.Net pages, ASP pages, HTML pages,
images,
> > > PDFs,
> > > > | etc. By default Web.Config only secures ASP.Net resources I
> believe.
> > > Is
> > > > | there a way to automatically have it secure all other resources
> > > available
> > > > at
> > > > | that website?
> > > > |
> > > > | TIA
> > > > |
> > > > | ==============
> > > > | Joe Reazor
> > > > | Gorbel Inc.
> > > > | email: joereaATgorbelDOTcom
> > > > |
> > > > |
> > > > |
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Calishar: "Making .net handle IIS authentication (not simple)"
- Previous message: Joe Reazor: "Re: Securing Non ASP.Net Files"
- In reply to: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Next in thread: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Reply: Joe Reazor: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
