|
Home > Archive > IIS Server Security > July 2004 > Direct access to files without using web site
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Direct access to files without using web site
|
|
| Kalvin 2004-07-19, 5:56 pm |
| I am running IIS 6. I have an application designed to authenticate
the users as to who they are and then only allow them to get certain
files depending on how the authenticated. We want all users to be
able to access our site. The problem is that if a user was clever,
they would be able to modify the URL for their file and possibly get
other files that are not intended for them.
Is there a way to allow Anonymous User access to their files only if
they are being accessed through a particular web site. If they paste
a URL into the address bar, it will not allow them access to the file.
If I am not clear enough, let me know and I will elaborate more.
Thanks, Kalvin
| |
| Tom Kaminski [MVP] 2004-07-19, 5:56 pm |
| "Kalvin" <ktuel@streck.com> wrote in message
news:879688dc.0407190823.68372707@posting.google.com...
> I am running IIS 6. I have an application designed to authenticate
> the users as to who they are and then only allow them to get certain
> files depending on how the authenticated. We want all users to be
> able to access our site. The problem is that if a user was clever,
> they would be able to modify the URL for their file and possibly get
> other files that are not intended for them.
>
> Is there a way to allow Anonymous User access to their files only if
> they are being accessed through a particular web site. If they paste
> a URL into the address bar, it will not allow them access to the file.
> If I am not clear enough, let me know and I will elaborate more.
How are you authenticating and giving access to the files? My guess is
you're checking a database for authentication and your files are static
documents and aren't controlled by your code.
Instead of directly linking to the files, serve them indirectly with an ASP
(or similar) using the following code. Place the files outside of your web
root so there's no direct URL and add some code to check if the user is
authenticated before the file gets sent or display an error message.
http://support.microsoft.com/?kbid=276488
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iisfaq.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://www.tryiis.com
| |
| Jeff Cochran 2004-07-19, 5:56 pm |
| On 19 Jul 2004 09:23:28 -0700, ktuel@streck.com (Kalvin) wrote:
>I am running IIS 6. I have an application designed to authenticate
>the users as to who they are and then only allow them to get certain
>files depending on how the authenticated. We want all users to be
>able to access our site. The problem is that if a user was clever,
>they would be able to modify the URL for their file and possibly get
>other files that are not intended for them.
>
>Is there a way to allow Anonymous User access to their files only if
>they are being accessed through a particular web site. If they paste
>a URL into the address bar, it will not allow them access to the file.
> If I am not clear enough, let me know and I will elaborate more.
The obvious way is to use NTFS permissions and Windows authentication,
rather than your custom app.
Jeff
|
|
|
|
|