How to deal with Restricted Access File Folder

Question

User-786564416 posted

I have a files folder containing pdf files located on a Server.

This server, where the files folders are stored, is the same server that containing my website solution (All aspx forms with its codes).

For maximum security and privacy purposes, I want to disable direct accessing by all windows users. The ONLY access (Read and Write) I want to allow is that through the solution aspx forms. Thus, How to perform this settings.

Answer 1

User-691209617 posted

HI,

Don't give permission to every user to specific folder, give permission to IUSR on those folders, plus you need to add some configuration in web.config too.

Also try rewrite rule or request filtering rule.

Hope it helps.

Answer 2

User-786564416 posted

Dear Codemovement

Would you please advise me a link that explain this?

Thanks alot

Answer 3

User-691209617 posted

Please see below mentioned link

https://technet.microsoft.com/en-us/library/bb456977.aspx

http://stackoverflow.com/questions/28319188/on-windows-how-to-restrict-access-to-a-folder-sub-folder-and-files-by-only-som

Please go through from both the links.

Answer 4

User-786564416 posted

Thanks Mr. Codemovement for your assistance. However, I didn't understand the following:

"

The Windows security model is per-user, not per-application. So there is no built-in way to restrict access to files based on which application is making the request.

The proper solution is for a server program (either running on an actual server, or as a system service on the local machine) to have exclusive access to the files (which works because the server program will be running as a different user) and for the client application (the application the end users run) to make all requests via the server. The server can then vet the requests to make sure they are not destructive before carrying them out.

Possible ad-hoc solutions would include a system service that hands out access to the files to your application (via handle duplication) or a file system filter driver. These approaches could be bypassed easily enough, but might be adequate against common-variety viruses that are not targeting your application specifically."

Practically, What should I do to prevent the access to the data folders?

Answer 5

User283571144 posted

Hi alihusain_77,

For maximum security and privacy purposes, I want to disable direct accessing by all windows users. The ONLY access (Read and Write) I want to allow is that through the solution aspx forms. Thus, How to perform this settings.

According to your description, do you mean you want to achieve all user could only access the webform pages not the folder which contains the pdf file?

If this is your requirement, I suggest you could use add hiddenSegments property into webconfig's "system.webServer" section.

More details, you could refer to follow codes and link:

<security>
  <requestFiltering>
    <hiddenSegments>
      <add segment="folderName"/>
    </hiddenSegments>
  </requestFiltering>
</security>

Link: https://www.iis.net/learn/manage/configuring-security/use-request-filtering

Best Regards,

Brando

Answer 6

User753101303 posted

Hi,

alihusain_77

What should I do to prevent the access to the data folders?

You could :
- create a web.config file in this folder to disallow all direct internet access :

  <httpHandlers>
      <add path="*" verb="*" type="System.Web.HttpNotFoundHandler"/>
    </httpHandlers>

this is what MVC is doing for the "views" folder

- use the App_Data folder for which it is the case already (and that is intended for data)
- my personal preference is to store files outside of the web sites (it's likely best to avoid mixing a web site and its data)
- likely others...