Re: II6.0 ISAPI & MIME types

---

• From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 23 Jun 2006 20:57:47 +1000

---

You can either:
a) use NTFS permissions. The user needs a valid username/password to read
the file

b) write your own authN mechanism. Store the PDFs outside the webroot (so
they are not accessible directly). Instead you have an ASP.NET page (or ASP,
or PHP, or whatever) that authenticates/authorizes the user. If the user is
allowed to access the file, you read it off the disk (e.g. using the
FileSystemObject) and stream it to the user

Cheers
Ken

"Ibrahim." <Ibrahim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@xxxxxxxxxxxxxxxx

Hello Ken,

The problem I'm facing is that I'm able to secure the directories but not
the documents (*.pdf). This is basically a upload folder in virtual
directory
which has read/write permission set.

If the attacker is aware of the file name, he can directly access the file
without even loggin in to the sytem by specifying the path in the URL.

I would appreciate if you can guide me in how to secure basic entities
that
are not supposed to be accessed by the outside world.

Thanks in advance.

Ibrahim.




"Ken Schaefer" wrote:

"Ibrahim." <Ibrahim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@xxxxxxxxxxxxxxxx

Hello,

following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
server running a Internet Application.;

1. What is the difference between MIME types & ISAPI filter.

A MIME type is a header that the server sends back to the client to tell
the
client (e.g. browser) what type of file is coming.

ISAPI is an extensibility API for IIS, which allows you to write code
that
extends the functionality of IIS

2. How can I restrict a file (*.pdf) from being accessed directly from
the
URL through ISAPI filter.

You need to write an ISAPI filter that does that. You can use something
like
URLScan (which is an ISAPI filter from Microsoft) to prevent direct
requests
for .pdf files.

3. How can i secure directories & files in II6.0

There are lots of ways. You need to tell us what "secure" means in your
case.

Cheers
Ken

.

---

• Follow-Ups:
  • Re: II6.0 ISAPI & MIME types
    • From: Ibrahim.

• References:
  • Re: II6.0 ISAPI & MIME types
    • From: Ken Schaefer

• Prev by Date: Re: Security Tab Missing On Specific File Extensions - 2003
• Next by Date: Re: Stop HTTP Access
• Previous by thread: Re: II6.0 ISAPI & MIME types
• Next by thread: Re: II6.0 ISAPI & MIME types
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: II6.0 ISAPI & MIME types ... You are not using NTFS permissions - you are using a feature of ASP.NET ... site uses forms authentication mode, ... What is the difference between MIME types & ISAPI filter. ... (microsoft.public.inetserver.iis.security) Re: II6.0 ISAPI & MIME types ... server running a Internet Application.; ... What is the difference between MIME types & ISAPI filter. ... extends the functionality of IIS ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2006-06