IIS Server Security - Re: file extensions and IIS

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > November 2007 > Re: file extensions and IIS





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: file extensions and IIS
Zester

2007-11-16, 1:39 pm

Is there a way to audit which files are allowed to be downloaded by default
configuration? I looked into IIS5 Application Configuration dialog and
didn't see .bak to be in the mapping for the website but it was allowed to
be downloaded as you pointed out. IIS6 doesn't have the entry either but
it's not allowed to be downloaded. Sounds like the default configuration is
hidden.

Also, would you know a documentation that walks me through how to block .bak
from being downloaded in IIS5? Thanks!



"David Wang" <w3.4you@gmail.com> wrote in message
news:1194058410.973691.294860@e9g2000prf.googlegroups.com...
> Ok, I see.
>
> The behavior of IIS completely depends on its configuration, and it
> can be configured to do what you say, or not what you want. There is
> no feature which says "hide or expose resources by extension".
> However, it is possible to hide or expose resources by extension with
> a combination of configuration.
>
> Thus, one needs to know the IIS version, the MIME Type, and
> Application Mapping configuration which applies to the URL in
> question.
>
> Prior to IIS6, default configuration would allow .bak to be
> downloaded, while IIS6 and later would not allow .bak to be
> downloaded. And of course, there are many ways to configure IIS to do
> the opposite of its defaults.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
>
>
> On Nov 2, 9:31 am, "Zester" <z...@nottospam.com> wrote:
>
>


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com