RE: IIS 5.0 : howto disable direct file linking?
From: David Dietz [MS] (ddietz_at_online.microsoft.com)
Date: 09/09/03
- Next message: David Dietz [MS]: "RE: Login for only one User Account in Entire Domain"
- Previous message: Eric Pratt: "Re: IIS6 Web Server Certificate Wizard Not Running"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 09 Sep 2003 13:13:44 GMT
Bob,
There is no setting in IIS to disable direct file linking. If the
requested URL is valid IIS will serve it as long as the client making the
request has appropriate permissions to view the content.
The only way to do what you are trying to accomplish is via some sort of
ISAPI filter. If you found (or wrote) a filter that would check the
'referrer' value in a GET request you could have it allow requests that are
referred from somewhere else in your site/application and redirect clients
to your homepage if the referrer value is either blank or from somewhere
other than your site/application.
Hope this helps.
David Dietz -- IIS Support Professional
Search our online Knowledge Base
http://support.microsoft.com/support/
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved
--------------------
|>Content-Class: urn:content-classes:message
|>From: "Bob Bracey" <bbracey@ix.netcom.com>
|>Sender: "Bob Bracey" <bbracey@ix.netcom.com>
|>Subject: IIS 5.0 : howto disable direct file linking?
|>Date: Fri, 21 Feb 2003 12:03:33 -0800
|>Lines: 26
|>Message-ID: <0f3c01c2d9e4$4faffe20$7d02280a@TK2MSFTNGXS01>
|>MIME-Version: 1.0
|>Content-Type: text/plain;
|> charset="iso-8859-1"
|>Content-Transfer-Encoding: 7bit
|>X-Newsreader: Microsoft CDO for Windows 2000
|>Thread-Index: AcLZ5E+v2VN+qvcWTnakeo5iz9aDng==
|>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>Newsgroups: microsoft.public.inetserver.iis.security
|>Path: cpmsftngxa06
|>Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:15581
|>NNTP-Posting-Host: TK2MSFTNGXS01 10.40.2.125
|>X-Tomcat-NG: microsoft.public.inetserver.iis.security
|>
|>Hi gurus -
|>
|>I've searched a lot in the forums and cannot find an
|>answer to this: is there a way I can set an IIS 5.0
|>server on Win2K server to disallow serving up a file to a
|>client browser if it is not linked to via a page HREF on
|>the server?
|>
|>As a better example, say I have a directory of PDF files
|>listed by users' SSN's (111-11-1111.pdf). If a user comes
|>into a page via a previous application authentication
|>check and gets a link to his or her SSN.pdf file, and
|>clicks on it, it will show up in the web browser client
|>window (assuming acrobat reader is setup properly). The
|>URL with the SSN.pdf link is now shown in the URL address
|>bar. I now want to prevent this user from trying to get
|>at someone else's SSN.pdf file (e.g. 222-22-2222.pdf)
|>just by them typing over the URL that is displayed.
|>
|>So I am thinking there may be a setting I can tweak that
|>would do something like "disallow direct linking to files
|>on the server" or such. Hope this makes sense, and
|>apologies if this is a RTFM but after a couple hours
|>searching, I decided to post. TIA.
|>
|>-- Bob
|>
- Next message: David Dietz [MS]: "RE: Login for only one User Account in Entire Domain"
- Previous message: Eric Pratt: "Re: IIS6 Web Server Certificate Wizard Not Running"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
