Re: Securing Non ASP.Net Files
From: Joe Reazor (joenospam@belgor.com)
Date: 03/14/03
- Next message: Joe Reazor: "Re: Forms Authentication Name property"
- Previous message: Kevin Spencer: "Re: Server.Transfer Vs. Response.Redirect"
- In reply to: Joseph Geretz: "Re: Securing Non ASP.Net Files"
- Next in thread: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Reply: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe Reazor" <joenospam@belgor.com> Date: Fri, 14 Mar 2003 08:15:32 -0500
I guess I have not clearly stated what I am doing. I have a site that was
all ASP pages that was secured (meaning password protected allowing only
authrorized users access) using MS's Site Server Personalization and
Membership functionality. Site Server P&M does not work with .Net Now I
want to change my entire site to be ASPX pages, but I still need to do 2
things, 1) keep the site secure for certain users and 2) know who the user
is that is making the request so that I can write a custom object (in .Net)
that will look up information about them (their name, company info, etc).
So I did some research and found that using Web.Config you can easily
control access to given web apps (folders, urls, whatever you want to call
them). I did further research and found that you can set-up IIS to force
all files in a web app to be handled by the ASP.Net isapi dll so that they
too are controlled by the same security. This has worked fine for .aspx,
.html, .pdf, images, etc, but for .asp pages I get an error saying that
their access has been restricted, even though I didn't do anything to
restrict them, so obviously it has something to do with the asp.net dll
processing them before the asp dll does. So, I was wondering if there is a
better way to do all of this or not. I understand everything you have
stated in your post below, but it is not what I am trying to do. One last
thing, I want to use a forms login if possible and don't want to have to
create a windows account for every user of the site if I don't have to, but
I'm open to all suggestions that will make this as easy as possible.
==============
Joe Reazor
Gorbel Inc.
email: joereaATgorbelDOTcom
"Joseph Geretz" <jgeretz@nospam.com> wrote in message
news:#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl...
> I'm still confused, but maybe it's just me. please bear with me.
>
> For both ASP and ASPX pages there are two activities which you might wish
to
> deny. (Well more than just two, but let's just deal with two for now.)
>
> 1. Script Download (script source is viewable in the browser).
>
> 2. Script Execution (on the server, script output (not source) is returned
> to the browser).
>
> From what I understand, you'd like to disallow #1, but still allow #2?
>
> In order to ensure that scripts may not be downloaded, there's really
> nothing you need to do, above and beyond the way IIS will natively treat
ASP
> and ASPX files. Natively, IIS will execute both of these files on the
server
> via their related ISAPI filters.
>
> You indicated that after changing some settings to explicitly forbid ASP
> access, the scripts are being downloaded to the client browser. Which is
> (obviously) not what you, or any site administrator, wants to happen. If
you
> have ASP scripts resident on a site, I am imagining that you want them to
> execute on the server upon request. If you don't want these scripts to run
> at all, why not just remove them from the site? Or, you can mark them via
> IIS to disallow anonymous access.
>
> Now back to your original question. You indicate that you'd like to secure
a
> particular site. You can do this through IIS itself. In which case, all
> resources accessed via a particular virtual directory would be secured
> without regard to the type of file. It sounds to me like you have an
interim
> situation here, while you are converting an ASP application to ASPX? Why
not
> use IIS security facilities? Since IIS is the common denominator here it
> will secure all your resources regardless of whther they are ASP, ASPX,
> GIF's, etc.
>
> (Understand also, that the original technique you attempted, which is to
use
> .NET to block access to various file types is not appropriate if you want
to
> protect a file from download, but still want to allow it to execute on the
> server in response to a user request.)
>
> Hope this helps. Please clarify, if I've misunderstood your situation.
>
> Thanks,
>
> Joseph Geretz
>
> "Joe Reazor" <joenospam@belgor.com> wrote in message
> news:#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl...
> > No, that's not what I want. I need to secure ALL files in a given
> directory
> > regardless of their extension. So while I am in the process of
converting
> > asp pages to aspx pages I need something that is going to limit the
access
> > to both. I figured using .net security would work. Does anybody have
an
> > answer to my original question? I can't imagine I'm the first person
> trying
> > to do this.
> >
> >
> > ==============
> > Joe Reazor
> > Gorbel Inc.
> > email: joereaATgorbelDOTcom
> >
> >
> > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > news:uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl...
> > > Hi Joe,
> > >
> > > Why have you 'protected' .asp pages? .asp pages and .aspx pages are
> simply
> > > handled by two different ISAPI filters (or is it an extension?
> > whatever...).
> > > You don't need to do anything to protect ASP scripts even if they're
> > > co-mingled with ASPX scripts. IIS won't serve the .asp scripts up in
any
> > > case. Rather, the .asp script will be passed off to the ASP ISAPI
which
> > will
> > > process the script and return the *resulting output* to the client.
> > >
> > > Isn't that what you want?
> > >
> > > - Joe Geretz -
> > >
> > > "Joe Reazor" <joenospam@belgor.com> wrote in message
> > > news:uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl...
> > > > Thanks for the response. I think I have this much set-up. The
> problem
> > I
> > > am
> > > > having now is that the *.asp pages that I have protected are not
> getting
> > > > served up. It's indicating that they are explicitly forbidden, and
> I'm
> > > not
> > > > sure why. Is there a way to allow them through the ASP.Net isapi
dll
> > and
> > > if
> > > > so will they then automatically be processed by the normal asp dll?
> > > >
> > > > Thanks.
> > > >
> > > > ==============
> > > > Joe Reazor
> > > > Gorbel Inc.
> > > > email: joereaATgorbelDOTcom
> > > >
> > > >
> > > > "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
> message
> > > > news:k7y4FTE6CHA.2768@cpmsftngxa06...
> > > > > Hello Joe,
> > > > > By default ASP.NET is configured to intercept and to stop
> requests
> > > for
> > > > > several different
> > > > > file types that are used in ASP.NET applications. These file types
> are
> > > > ones
> > > > > that must not be retrieved by users. These file types include
> .config
> > > > files
> > > > > that store configuration information for the application and .cs
> files
> > > > that
> > > > > store the source code of the application. ASP.NET ensures the
> privacy
> > of
> > > > > these
> > > > > files by associating both file types with
> > > System.Web.HttpForbiddenHandler.
> > > > > System.Web.HttpForbiddenHandler returns an error to the user who
> > > requests
> > > > > the
> > > > > file. This method of protecting files can be used for any file
type.
> > > This
> > > > > method is useful for protecting files that exist in the folder of
> the
> > > Web
> > > > > application and must never be retrieved by users.
> > > > >
> > > > > Microsoft Internet Information Services (IIS) 5.0 determines how
> > > > > to handle requests based on the script mapping for the file name
> > > extension
> > > > > of
> > > > > the request. These script mappings are adjusted by using Internet
> > > Services
> > > > > Manager. For ASP.NET to block file types, you must first configure
> IIS
> > > 5.0
> > > > > to
> > > > > forward those requests to ASP.NET. To add additional file types to
> an
> > > > > ASP.NET application to protect certain
> > > > > file types, follow these steps:
> > > > >
> > > > > 1. On the taskbar click "start", point to "Settings", and then
click
> > > > > "Control Panel".
> > > > > 2. Double-click to open the "Administrative Tools" folder and then
> > > > > double-click to run " Internet Services Manager".
> > > > > 3. Right-click the virtual server or the virtual folder that
contain
> > > your
> > > > > ASP.NET application and then click "Properties".
> > > > > 4. Select the "Home Directory" or the "Directory" tab. If an
> > application
> > > > > has not been created for the virtual folder, click "Create"
> > > > > under "Application Settings".
> > > > > 5. Under "Application Settings", click "Configuration".
> > > > > 6. To identify the location of the Aspnet_isapi.dll file that
> handles
> > > the
> > > > > ASP.NET requests, select the ".aspx application mapping" and then
> > > > > click "Edit".
> > > > > 7. The "Add/Edit Application Extension Mapping" dialog box
appears.
> > > Select
> > > > > the text in the "Executable" field and then press CTRL+C to copy
> > > > > the text to your Clipboard.
> > > > > 8. Click "Cancel" to return to the "Application Configuration
> "dialog
> > > box.
> > > > > 9. Now, add application mappings for each extension that you want
> > > ASP.NET
> > > > > to block. To do this, click "Add". Then, in the "Executable"
> > > > > field, press CTRL+V to paste the path of your Aspnet_isapi.dll
file.
> > > > > 10. In the "Verbs" section, select the "All Verbs" option. Verify
> that
> > > the
> > > > > "Script Engine" check box is selected and that the "Check If File
> > > > > Exists" check box is not selected.
> > > > > 11. Click "OK".
> > > > > 12. Repeat this procedure for every file name extension that you
> want
> > to
> > > > > have processed by ASP.NET.
> > > > >
> > > > > Configure a File Type That You Want Blocked
> > > > > -------------------------------------------
> > > > >
> > > > > To block additional file types for an ASP.NET application, follow
> > these
> > > > > steps:
> > > > >
> > > > > 1. Open the Web.config file in a text editor such as Notepad. The
> > > > > Web.config file is located in the root directory of your Web
> > > > > application.
> > > > > 2. In the Web.config file add the <httpHandlers> configuration
> element
> > > > > under the <system.web> element. Note You must not copy the
> > > > > <httpHandlers> element from the Machine.config file. The reason
you
> > must
> > > > > not copy the <httpHandlers> element is because the <httpHandlers>
> > > > > element permits you to add additional file types without
completely
> > > > > overriding the Machine.config settings.
> > > > > 3. In the <httpHandlers> element, use <<add>> sub tags to specify
> > > > > additional file types that you want blocked.
> > > > > Set the verb attribute equal to ?*?. When you do this, you specify
> > that
> > > > all
> > > > > types of HTTP requests are blocked. Define the path attribute
> > > > > as a wildcard character that matches the types of files you want
to
> > > block.
> > > > > For example, you may specify <?*.mdb?>. Finally, set the type
> attribut
> > e
> > > to
> > > > > <?System.Web.HttpForbiddenHandler">. The code sample that follows
> > shows
> > > > how
> > > > > to configure the "httpHandlers" section in the Web.config file:
> > > > >
> > > > > <system.web>
> > > > > <httpHandlers>
> > > > > <add verb="*" path="*.mdb"
> > > type="System.Web.HttpForbiddenHandler"
> > > > > />
> > > > > <add verb="*" path="*.csv"
> > > type="System.Web.HttpForbiddenHandler"
> > > > > />
> > > > > <add verb="*" path="*.private"
> > > > > type="System.Web.HttpForbiddenHandler" />
> > > > > </httpHandlers>
> > > > > </system.web>
> > > > >
> > > > > 4. Save the Web.config file. The ASP.NET application automatically
> > > > restarts.
> > > > >
> > > > >
> > > > > Thanks,
> > > > > Bassel Tabbara
> > > > > Microsoft, ASP.NET
> > > > >
> > > > > This posting is provided "AS IS", with no warranties, and confers
no
> > > > rights.
> > > > >
> > > > >
> > > > > --------------------
> > > > > | From: "Joe Reazor" <joenospam@belgor.com>
> > > > > | Subject: Securing Non ASP.Net Files
> > > > > | Date: Tue, 11 Mar 2003 16:35:11 -0500
> > > > > | Lines: 14
> > > > > | X-Priority: 3
> > > > > | X-MSMail-Priority: Normal
> > > > > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> > > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> > > > > | Message-ID: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
> > > > > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > > > > | NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
> > > > > | Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > > > > | Xref: cpmsftngxa06
> > > > microsoft.public.dotnet.framework.aspnet.security:4295
> > > > > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > > > > |
> > > > > | I am trying to use .Net, specifically the Web.Config file, to
> secure
> > a
> > > > > | website that contains ASP.Net pages, ASP pages, HTML pages,
> images,
> > > > PDFs,
> > > > > | etc. By default Web.Config only secures ASP.Net resources I
> > believe.
> > > > Is
> > > > > | there a way to automatically have it secure all other resources
> > > > available
> > > > > at
> > > > > | that website?
> > > > > |
> > > > > | TIA
> > > > > |
> > > > > | ==============
> > > > > | Joe Reazor
> > > > > | Gorbel Inc.
> > > > > | email: joereaATgorbelDOTcom
> > > > > |
> > > > > |
> > > > > |
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Joe Reazor: "Re: Forms Authentication Name property"
- Previous message: Kevin Spencer: "Re: Server.Transfer Vs. Response.Redirect"
- In reply to: Joseph Geretz: "Re: Securing Non ASP.Net Files"
- Next in thread: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Reply: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
