IIS Server Security - Re: file extensions and IIS

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > November 2007 > Re: file extensions and IIS





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: file extensions and IIS
David Wang

2007-11-16, 1:39 pm

Ok, I see.

The behavior of IIS completely depends on its configuration, and it
can be configured to do what you say, or not what you want. There is
no feature which says "hide or expose resources by extension".
However, it is possible to hide or expose resources by extension with
a combination of configuration.

Thus, one needs to know the IIS version, the MIME Type, and
Application Mapping configuration which applies to the URL in
question.

Prior to IIS6, default configuration would allow .bak to be
downloaded, while IIS6 and later would not allow .bak to be
downloaded. And of course, there are many ways to configure IIS to do
the opposite of its defaults.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//







On Nov 2, 9:31 am, "Zester" <z...@nottospam.com> wrote:
> No, that wasn't what I was looking for. I'm concerned about the security
> risk of exposing content of files that we didn't intend to. The .bak file
> might be a web.config.bak that contains some sensitive info; I don't want
> users to have access to it.
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>
>
>
>
>
>
>
>
>
>
>
> - Show quoted text -


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com