|
Home > Archive > IIS Server Security > September 2006 > file protection
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| beachboy 2006-09-11, 1:31 am |
| any setting can protect the special folder that not allow user to download
from browser/url, but the files/directories can access by aspx/asp
script(Content Management System), how i can setup this up? use NTFS
permission or IIS can do this??
e.g:
userA type http://localhost/website1/download/doc1.doc , system will show
incorrect or password protected message. When userA access the CMS with
application's loginid & pwd, they can upload and replace doc1.doc though
asp/aspx script without any permission problem
Any ideas? pls comments and advise. Thanks.
| |
| Ken Schaefer 2006-09-11, 1:31 am |
| ASP/ASPX page can change any file on the file system (assuming it has NTFS
permissions).
So, simply locate the documents *outside* the web site's root folder.
Cheers
Ken
"beachboy" <jpsteambun@yahoo.com.hk> wrote in message
news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl...
> any setting can protect the special folder that not allow user to download
> from browser/url, but the files/directories can access by aspx/asp
> script(Content Management System), how i can setup this up? use NTFS
> permission or IIS can do this??
>
> e.g:
> userA type http://localhost/website1/download/doc1.doc , system will show
> incorrect or password protected message. When userA access the CMS with
> application's loginid & pwd, they can upload and replace doc1.doc though
> asp/aspx script without any permission problem
>
> Any ideas? pls comments and advise. Thanks.
>
>
| |
| beachboy 2006-09-11, 7:25 am |
| oh.. sorry . this is one requirement of my infrastructure.
- protected folder must within website's root folder
any comments and advise. Thanks in advanced.
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> 在郵件
news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl 中撰寫...
> ASP/ASPX page can change any file on the file system (assuming it has NTFS
> permissions).
>
> So, simply locate the documents *outside* the web site's root folder.
>
> Cheers
> Ken
>
>
> "beachboy" <jpsteambun@yahoo.com.hk> wrote in message
> news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl...
download[vbcol=seagreen]
show[vbcol=seagreen]
>
>
| |
| Ken Schaefer 2006-09-11, 1:30 pm |
| Open IIS Manager, and locate the folder where your protected content is.
Remove the "Read" permission from that folder. That will stop direct
requests for static files in that folder.
Cheers
Ken
"beachboy" <jpsteambun@yahoo.com.hk> wrote in message
news:ux6VfUX1GHA.4108@TK2MSFTNGP04.phx.gbl...
> oh.. sorry . this is one requirement of my infrastructure.
> - protected folder must within website's root folder
>
> any comments and advise. Thanks in advanced.
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> 在郵件
> news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl 中撰寫...
> download
> show
>
>
| |
| Funkadyleik Spynwhanker 2006-09-11, 1:30 pm |
| Or, just create a "virtual" folder (Right click, new, virtual folder) with
the same name as the folder you want to protect. Map it to the root of your
web.
That will avoid user/pass and permission issues, and prevent anybody from
using HTTP to access the folder. You can then use FTP, or ASP (which isn't
talking to the web server at that level) to store and pull or put files
there normally.
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OTH%23OMa1GHA.1336@TK2MSFTNGP03.phx.gbl...
> Open IIS Manager, and locate the folder where your protected content is.
> Remove the "Read" permission from that folder. That will stop direct
> requests for static files in that folder.
>
> Cheers
> Ken
>
> "beachboy" <jpsteambun@yahoo.com.hk> wrote in message
> news:ux6VfUX1GHA.4108@TK2MSFTNGP04.phx.gbl...
>
>
| |
| Ken Schaefer 2006-09-12, 1:24 am |
| Erm, how would this work? What's to stop the "bad guy" just typing in the
URL to the file?
Cheers
Ken
"Funkadyleik Spynwhanker" <youreallywantoemailmepunk?@winblows.gov> wrote in
message news:9%eNg.798$5i7.189@newsreading01.news.tds.net...
> Or, just create a "virtual" folder (Right click, new, virtual folder) with
> the same name as the folder you want to protect. Map it to the root of
> your web.
>
> That will avoid user/pass and permission issues, and prevent anybody from
> using HTTP to access the folder. You can then use FTP, or ASP (which
> isn't talking to the web server at that level) to store and pull or put
> files there normally.
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:OTH%23OMa1GHA.1336@TK2MSFTNGP03.phx.gbl...
>
>
|
|
|
|
|