Re: Securing Non ASP.Net Files
From: Jerry Weindel (weindelj@ix.netcom.com)
Date: 03/18/03
- Next message: Larry Lau: "Internet Security"
- Previous message: Joseph E Shook: "Re: IsInRole performance issue"
- In reply to: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Next in thread: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Reply: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jerry Weindel" <weindelj@ix.netcom.com> Date: Mon, 17 Mar 2003 20:52:16 -0500
I've been reading this thread with much interest because I am trying to do
the same thing. The problem with the proposed solution is that once you tell
the aspnet_isapi.dll to handle(protect) .asp files, the aspnet_isapi.dll
becomes the ISAPI extension that processes the script instead of the
asp.dll. Since the aspnet_isapi.dll processes much differently than the
asp.dll (i.e. parses the script using aspx syntax) the execution fails.
The steps outlined in the HOW TO: seem geared to resolve a problem with
existing links pointing to .asp pages -- but these pages still must already
be converted to aspx syntax to execute properly. My question is (and I think
Joe's as well) is how do you protect .asp pages that have not been converted
to aspx yet? That is, the script code is still clasic ASP code, not asp.net
code.
Try protecting an ASP page that simply has the following code:
<%
Response.write "hello world"
%>
""Mike Moore [MSFT]"" <michmo@online.microsoft.com> wrote in message
news:TlK7cgp6CHA.2768@cpmsftngxa06...
> Hi Joe,
>
> I found another article that addresses your question:
> 815152 HOW TO: Use ASP.NET to Protect File Types
> http://support.microsoft.com/?id=815152
>
> Thank you, Mike Moore
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no
rights.
>
> --------------------
> >X-Tomcat-ID: 38130389
> >References: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
> <k7y4FTE6CHA.2768@cpmsftngxa06> <uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl>
> <uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl>
> <#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl>
> <#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl>
> <OWeIhxi6CHA.2400@TK2MSFTNGP11.phx.gbl>
> >MIME-Version: 1.0
> >Content-Type: text/plain
> >Content-Transfer-Encoding: 7bit
> >From: michmo@online.microsoft.com ("Mike Moore [MSFT]")
> >Organization: Microsoft
> >Date: Sat, 15 Mar 2003 01:40:00 GMT
> >Subject: Re: Securing Non ASP.Net Files
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >Message-ID: <r1FvPPp6CHA.2436@cpmsftngxa08.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >Lines: 391
> >NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
> >Path: cpmsftngxa06!cpmsftngxa08.phx.gbl
> >Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:4377
> >
> >Hi Joe,
> >
> >1) Using .NET security to govern access to ASP pages
> >815172 HOW TO: Migrate an ASP Web Application to ASP.NET While Retaining
> >Existing File Name Extensions
> >http://support.microsoft.com/?id=815172
> >
> >Once you have done the above, then you can configure authorization for
the
> >ASP files via the web.config file.
> >
> >2) How to use Forms authentication so that you don't need to create a
> >Windows account for each visitor:
> >
> >308157 HOW TO: Implement Forms-Based Authentication in Your ASP.NET
> >Application
> >http://support.microsoft.com/?id=308157
> >
> >306238 HOW TO: Implement Role-Based Security with Forms-Based
> Authentication
> >http://support.microsoft.com/?id=306238
> >
> >Thank you, Mike Moore
> >Microsoft, ASP.NET
> >
> >This posting is provided "AS IS", with no warranties, and confers no
> rights.
> >
> >--------------------
> >>From: "Joe Reazor" <joenospam@belgor.com>
> >>References: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
> ><k7y4FTE6CHA.2768@cpmsftngxa06> <uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl>
> ><uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl>
> ><#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl>
> ><#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl>
> >>Subject: Re: Securing Non ASP.Net Files
> >>Date: Fri, 14 Mar 2003 08:15:32 -0500
> >>Lines: 357
> >>X-Priority: 3
> >>X-MSMail-Priority: Normal
> >>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>Message-ID: <OWeIhxi6CHA.2400@TK2MSFTNGP11.phx.gbl>
> >>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >>NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
> >>Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> >>Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:4360
> >>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >>
> >>I guess I have not clearly stated what I am doing. I have a site that
was
> >>all ASP pages that was secured (meaning password protected allowing only
> >>authrorized users access) using MS's Site Server Personalization and
> >>Membership functionality. Site Server P&M does not work with .Net Now
I
> >>want to change my entire site to be ASPX pages, but I still need to do 2
> >>things, 1) keep the site secure for certain users and 2) know who the
user
> >>is that is making the request so that I can write a custom object (in
> Net)
> >>that will look up information about them (their name, company info,
etc).
> >>So I did some research and found that using Web.Config you can easily
> >>control access to given web apps (folders, urls, whatever you want to
call
> >>them). I did further research and found that you can set-up IIS to
force
> >>all files in a web app to be handled by the ASP.Net isapi dll so that
they
> >>too are controlled by the same security. This has worked fine for
.aspx,
> >>.html, .pdf, images, etc, but for .asp pages I get an error saying that
> >>their access has been restricted, even though I didn't do anything to
> >>restrict them, so obviously it has something to do with the asp.net dll
> >>processing them before the asp dll does. So, I was wondering if there
is
> a
> >>better way to do all of this or not. I understand everything you have
> >>stated in your post below, but it is not what I am trying to do. One
last
> >>thing, I want to use a forms login if possible and don't want to have to
> >>create a windows account for every user of the site if I don't have to,
> but
> >>I'm open to all suggestions that will make this as easy as possible.
> >>
> >>
> >>==============
> >>Joe Reazor
> >>Gorbel Inc.
> >>email: joereaATgorbelDOTcom
> >>"Joseph Geretz" <jgeretz@nospam.com> wrote in message
> >>news:#Isn8Da6CHA.3116@TK2MSFTNGP11.phx.gbl...
> >>> I'm still confused, but maybe it's just me. please bear with me.
> >>>
> >>> For both ASP and ASPX pages there are two activities which you might
> wish
> >>to
> >>> deny. (Well more than just two, but let's just deal with two for now.)
> >>>
> >>> 1. Script Download (script source is viewable in the browser).
> >>>
> >>> 2. Script Execution (on the server, script output (not source) is
> >returned
> >>> to the browser).
> >>>
> >>> From what I understand, you'd like to disallow #1, but still allow #2?
> >>>
> >>> In order to ensure that scripts may not be downloaded, there's really
> >>> nothing you need to do, above and beyond the way IIS will natively
treat
> >>ASP
> >>> and ASPX files. Natively, IIS will execute both of these files on the
> >>server
> >>> via their related ISAPI filters.
> >>>
> >>> You indicated that after changing some settings to explicitly forbid
ASP
> >>> access, the scripts are being downloaded to the client browser. Which
is
> >>> (obviously) not what you, or any site administrator, wants to happen.
If
> >>you
> >>> have ASP scripts resident on a site, I am imagining that you want them
> to
> >>> execute on the server upon request. If you don't want these scripts to
> >run
> >>> at all, why not just remove them from the site? Or, you can mark them
> via
> >>> IIS to disallow anonymous access.
> >>>
> >>> Now back to your original question. You indicate that you'd like to
> >secure
> >>a
> >>> particular site. You can do this through IIS itself. In which case,
all
> >>> resources accessed via a particular virtual directory would be secured
> >>> without regard to the type of file. It sounds to me like you have an
> >>interim
> >>> situation here, while you are converting an ASP application to ASPX?
Why
> >>not
> >>> use IIS security facilities? Since IIS is the common denominator here
it
> >>> will secure all your resources regardless of whther they are ASP,
ASPX,
> >>> GIF's, etc.
> >>>
> >>> (Understand also, that the original technique you attempted, which is
to
> >>use
> >>> .NET to block access to various file types is not appropriate if you
> want
> >>to
> >>> protect a file from download, but still want to allow it to execute on
> >the
> >>> server in response to a user request.)
> >>>
> >>> Hope this helps. Please clarify, if I've misunderstood your situation.
> >>>
> >>> Thanks,
> >>>
> >>> Joseph Geretz
> >>>
> >>> "Joe Reazor" <joenospam@belgor.com> wrote in message
> >>> news:#2ciQzZ6CHA.972@TK2MSFTNGP12.phx.gbl...
> >>> > No, that's not what I want. I need to secure ALL files in a given
> >>> directory
> >>> > regardless of their extension. So while I am in the process of
> >>converting
> >>> > asp pages to aspx pages I need something that is going to limit the
> >>access
> >>> > to both. I figured using .net security would work. Does anybody
have
> >>an
> >>> > answer to my original question? I can't imagine I'm the first
person
> >>> trying
> >>> > to do this.
> >>> >
> >>> >
> >>> > ==============
> >>> > Joe Reazor
> >>> > Gorbel Inc.
> >>> > email: joereaATgorbelDOTcom
> >>> >
> >>> >
> >>> > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> >>> > news:uFiTnMO6CHA.1540@TK2MSFTNGP09.phx.gbl...
> >>> > > Hi Joe,
> >>> > >
> >>> > > Why have you 'protected' .asp pages? .asp pages and .aspx pages
are
> >>> simply
> >>> > > handled by two different ISAPI filters (or is it an extension?
> >>> > whatever...).
> >>> > > You don't need to do anything to protect ASP scripts even if
they're
> >>> > > co-mingled with ASPX scripts. IIS won't serve the .asp scripts up
in
> >>any
> >>> > > case. Rather, the .asp script will be passed off to the ASP ISAPI
> >>which
> >>> > will
> >>> > > process the script and return the *resulting output* to the
client.
> >>> > >
> >>> > > Isn't that what you want?
> >>> > >
> >>> > > - Joe Geretz -
> >>> > >
> >>> > > "Joe Reazor" <joenospam@belgor.com> wrote in message
> >>> > > news:uT0LeSM6CHA.2308@TK2MSFTNGP11.phx.gbl...
> >>> > > > Thanks for the response. I think I have this much set-up. The
> >>> problem
> >>> > I
> >>> > > am
> >>> > > > having now is that the *.asp pages that I have protected are not
> >>> getting
> >>> > > > served up. It's indicating that they are explicitly forbidden,
> and
> >>> I'm
> >>> > > not
> >>> > > > sure why. Is there a way to allow them through the ASP.Net
isapi
> >>dll
> >>> > and
> >>> > > if
> >>> > > > so will they then automatically be processed by the normal asp
> dll?
> >>> > > >
> >>> > > > Thanks.
> >>> > > >
> >>> > > > ==============
> >>> > > > Joe Reazor
> >>> > > > Gorbel Inc.
> >>> > > > email: joereaATgorbelDOTcom
> >>> > > >
> >>> > > >
> >>> > > > "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
> >>> message
> >>> > > > news:k7y4FTE6CHA.2768@cpmsftngxa06...
> >>> > > > > Hello Joe,
> >>> > > > > By default ASP.NET is configured to intercept and to stop
> >>> requests
> >>> > > for
> >>> > > > > several different
> >>> > > > > file types that are used in ASP.NET applications. These file
> >types
> >>> are
> >>> > > > ones
> >>> > > > > that must not be retrieved by users. These file types include
> >>> .config
> >>> > > > files
> >>> > > > > that store configuration information for the application and
.cs
> >>> files
> >>> > > > that
> >>> > > > > store the source code of the application. ASP.NET ensures the
> >>> privacy
> >>> > of
> >>> > > > > these
> >>> > > > > files by associating both file types with
> >>> > > System.Web.HttpForbiddenHandler.
> >>> > > > > System.Web.HttpForbiddenHandler returns an error to the user
who
> >>> > > requests
> >>> > > > > the
> >>> > > > > file. This method of protecting files can be used for any file
> >>type.
> >>> > > This
> >>> > > > > method is useful for protecting files that exist in the folder
> of
> >>> the
> >>> > > Web
> >>> > > > > application and must never be retrieved by users.
> >>> > > > >
> >>> > > > > Microsoft Internet Information Services (IIS) 5.0 determines
how
> >>> > > > > to handle requests based on the script mapping for the file
name
> >>> > > extension
> >>> > > > > of
> >>> > > > > the request. These script mappings are adjusted by using
> Internet
> >>> > > Services
> >>> > > > > Manager. For ASP.NET to block file types, you must first
> >configure
> >>> IIS
> >>> > > 5.0
> >>> > > > > to
> >>> > > > > forward those requests to ASP.NET. To add additional file
types
> >to
> >>> an
> >>> > > > > ASP.NET application to protect certain
> >>> > > > > file types, follow these steps:
> >>> > > > >
> >>> > > > > 1. On the taskbar click "start", point to "Settings", and then
> >>click
> >>> > > > > "Control Panel".
> >>> > > > > 2. Double-click to open the "Administrative Tools" folder and
> >then
> >>> > > > > double-click to run " Internet Services Manager".
> >>> > > > > 3. Right-click the virtual server or the virtual folder that
> >>contain
> >>> > > your
> >>> > > > > ASP.NET application and then click "Properties".
> >>> > > > > 4. Select the "Home Directory" or the "Directory" tab. If an
> >>> > application
> >>> > > > > has not been created for the virtual folder, click "Create"
> >>> > > > > under "Application Settings".
> >>> > > > > 5. Under "Application Settings", click "Configuration".
> >>> > > > > 6. To identify the location of the Aspnet_isapi.dll file that
> >>> handles
> >>> > > the
> >>> > > > > ASP.NET requests, select the ".aspx application mapping" and
> then
> >>> > > > > click "Edit".
> >>> > > > > 7. The "Add/Edit Application Extension Mapping" dialog box
> >>appears.
> >>> > > Select
> >>> > > > > the text in the "Executable" field and then press CTRL+C to
copy
> >>> > > > > the text to your Clipboard.
> >>> > > > > 8. Click "Cancel" to return to the "Application Configuration
> >>> "dialog
> >>> > > box.
> >>> > > > > 9. Now, add application mappings for each extension that you
> want
> >>> > > ASP.NET
> >>> > > > > to block. To do this, click "Add". Then, in the "Executable"
> >>> > > > > field, press CTRL+V to paste the path of your Aspnet_isapi.dll
> >>file.
> >>> > > > > 10. In the "Verbs" section, select the "All Verbs" option.
> Verify
> >>> that
> >>> > > the
> >>> > > > > "Script Engine" check box is selected and that the "Check If
> File
> >>> > > > > Exists" check box is not selected.
> >>> > > > > 11. Click "OK".
> >>> > > > > 12. Repeat this procedure for every file name extension that
you
> >>> want
> >>> > to
> >>> > > > > have processed by ASP.NET.
> >>> > > > >
> >>> > > > > Configure a File Type That You Want Blocked
> >>> > > > > -------------------------------------------
> >>> > > > >
> >>> > > > > To block additional file types for an ASP.NET application,
> follow
> >>> > these
> >>> > > > > steps:
> >>> > > > >
> >>> > > > > 1. Open the Web.config file in a text editor such as Notepad.
> The
> >>> > > > > Web.config file is located in the root directory of your Web
> >>> > > > > application.
> >>> > > > > 2. In the Web.config file add the <httpHandlers> configuration
> >>> element
> >>> > > > > under the <system.web> element. Note You must not copy the
> >>> > > > > <httpHandlers> element from the Machine.config file. The
reason
> >>you
> >>> > must
> >>> > > > > not copy the <httpHandlers> element is because the
> <httpHandlers>
> >>> > > > > element permits you to add additional file types without
> >>completely
> >>> > > > > overriding the Machine.config settings.
> >>> > > > > 3. In the <httpHandlers> element, use <<add>> sub tags to
> specify
> >>> > > > > additional file types that you want blocked.
> >>> > > > > Set the verb attribute equal to ?*?. When you do this, you
> >specify
> >>> > that
> >>> > > > all
> >>> > > > > types of HTTP requests are blocked. Define the path attribute
> >>> > > > > as a wildcard character that matches the types of files you
want
> >>to
> >>> > > block.
> >>> > > > > For example, you may specify <?*.mdb?>. Finally, set the type
> >>> attribut
> >>> > e
> >>> > > to
> >>> > > > > <?System.Web.HttpForbiddenHandler">. The code sample that
> follows
> >>> > shows
> >>> > > > how
> >>> > > > > to configure the "httpHandlers" section in the Web.config
file:
> >>> > > > >
> >>> > > > > <system.web>
> >>> > > > > <httpHandlers>
> >>> > > > > <add verb="*" path="*.mdb"
> >>> > > type="System.Web.HttpForbiddenHandler"
> >>> > > > > />
> >>> > > > > <add verb="*" path="*.csv"
> >>> > > type="System.Web.HttpForbiddenHandler"
> >>> > > > > />
> >>> > > > > <add verb="*" path="*.private"
> >>> > > > > type="System.Web.HttpForbiddenHandler" />
> >>> > > > > </httpHandlers>
> >>> > > > > </system.web>
> >>> > > > >
> >>> > > > > 4. Save the Web.config file. The ASP.NET application
> >automatically
> >>> > > > restarts.
> >>> > > > >
> >>> > > > >
> >>> > > > > Thanks,
> >>> > > > > Bassel Tabbara
> >>> > > > > Microsoft, ASP.NET
> >>> > > > >
> >>> > > > > This posting is provided "AS IS", with no warranties, and
> confers
> >>no
> >>> > > > rights.
> >>> > > > >
> >>> > > > >
> >>> > > > > --------------------
> >>> > > > > | From: "Joe Reazor" <joenospam@belgor.com>
> >>> > > > > | Subject: Securing Non ASP.Net Files
> >>> > > > > | Date: Tue, 11 Mar 2003 16:35:11 -0500
> >>> > > > > | Lines: 14
> >>> > > > > | X-Priority: 3
> >>> > > > > | X-MSMail-Priority: Normal
> >>> > > > > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> >>> > > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> >>> > > > > | Message-ID: <e5lHxaB6CHA.1784@TK2MSFTNGP10.phx.gbl>
> >>> > > > > | Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
> >>> > > > > | NNTP-Posting-Host: smtp.gorbel.com 216.42.134.6
> >>> > > > > | Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> >>> > > > > | Xref: cpmsftngxa06
> >>> > > > microsoft.public.dotnet.framework.aspnet.security:4295
> >>> > > > > | X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
> >>> > > > > |
> >>> > > > > | I am trying to use .Net, specifically the Web.Config file,
to
> >>> secure
> >>> > a
> >>> > > > > | website that contains ASP.Net pages, ASP pages, HTML pages,
> >>> images,
> >>> > > > PDFs,
> >>> > > > > | etc. By default Web.Config only secures ASP.Net resources I
> >>> > believe.
> >>> > > > Is
> >>> > > > > | there a way to automatically have it secure all other
> resources
> >>> > > > available
> >>> > > > > at
> >>> > > > > | that website?
> >>> > > > > |
> >>> > > > > | TIA
> >>> > > > > |
> >>> > > > > | ==============
> >>> > > > > | Joe Reazor
> >>> > > > > | Gorbel Inc.
> >>> > > > > | email: joereaATgorbelDOTcom
> >>> > > > > |
> >>> > > > > |
> >>> > > > > |
> >>> > > > >
> >>> > > >
> >>> > > >
> >>> > >
> >>> > >
> >>> >
> >>> >
> >>>
> >>>
> >>
> >>
> >>
> >
> >
>
- Next message: Larry Lau: "Internet Security"
- Previous message: Joseph E Shook: "Re: IsInRole performance issue"
- In reply to: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Next in thread: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Reply: Mike Moore [MSFT]: "Re: Securing Non ASP.Net Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
