Deny web access to a directory?

From: Dominick Baier (dotnet_at_leastprivilege.com)
Date: 09/29/04 

To: microsoft.public.dotnet.framework.aspnet.security
Date: Tue, 28 Sep 2004 23:50:49 -0700

hi,

 asp.net handles only the requests that are mapped on aspnet_isapi which are asmx, aspx and some more - other extensions are directly handled by IIS without even entering your application

 add another script mapping to IIS for .mdb pointing to exactly the same script handler as .aspx - you could also add a HttpForbiddenHandler to your web/machine.config after that.

 

 ---
 Dominick Baier - DevelopMentor
 http://www.leastprivilege.com

   nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<4D921C30-E888-4D1A-871E-A4984D6456B6@microsoft.com>

 Hi,
 
 I have a asp.net site running on an MS Access database this is, for better
 or worse, stored under the webroot.
 
 How can I lockout the database directory to prevent anyone from downloading
 it via HTTP?
 
 I have attached my web.config file at the end of this message.
 
 The problem is that the "database" directory is still viewable by anyone.
 Not sure why. Do I have a typo?
 
 
 Thanks,
 David
 
 
 ---------------------------------------------
 
 
 
 <configuration>
 
 <system.web>
 <customErrors mode="Off"/>
 
 <!-- Authentication form -->
 <authentication mode="Forms">
 <forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
 timeout="999999" path="/app-admin/" />
 </authentication>
 
 <!-- Allow anon users to main site -->
 <authorization>
 <allow users="?" />
 </authorization>
 </system.web>
 
 <!-- Set up secure zone for app admin -->
 <location path="app-admin">
 <system.web>
 
 <!-- disallow anon users-->
 <authorization>
 <deny users="?" />
 </authorization>
 </system.web>
 </location>
 
 <!-- Set up secure zone for database -->
 <location path="database">
 <system.web>
 
 <!-- disallow all users-->
 <authorization>
 <deny users="*" />
 </authorization>
 </system.web>
 </location>
 
 </configuration>
 
 
 [microsoft.public.dotnet.framework.aspnet.security]

Relevant Pages

  • Re: Database error
    ... FP extensions WITHOUT having IIS installed on your ... so no possibility of IIS. ... >you need IIS to connect a MDB database. ... I just get this error message. ...
    (microsoft.public.frontpage.client)
  • Re: ASP & Databases
    ... I am unable to insert a row in a database using an .asp ... I am running IIS 5.1 that comes with Windows XP. ... : in Control Panel. ...
    (microsoft.public.inetserver.asp.db)
  • Re: Unable to get global configuration data.
    ... It did say All Unassigned with a port. ... I reset IIS. ... on the web server. ... Unable to connect to database. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: filling in missing dates in a time series
    ... timestep we store ... In practice the restrictions have no adverse effect on the applicability of his relational algebra for database purposes. ... As I understand it, Codd was talking about recording facts through what are called their extensions, basically the enumerations of sets, possibly very lengthy enumerations as you seem to be referring to. ... Wistfully, I find this a bit unfortunate, but maybe I just don't know enough to see that an RM with intensions is a bigger problem, eg., a 'table' defined via intension. ...
    (comp.databases.theory)
  • Re: Insert Database Results - Get Error
    ... > Thomas A. Rowe ... > FrontPage Resources, WebCircle, MS KB Quick Links, etc. ... Note that I do not have IIS installed. ... insert database results in a FP .asp page. ...
    (microsoft.public.frontpage.client)