locked
How do I password protect a sub folder of my website, to deny anonymous access? RRS feed

  • Question

  • User1042272884 posted
    I currently run an ASP.NET website that hosts a number of .EXE files that users can download. These executable files are only meant for customers and should not be accessed by anybody who has not logged into the site, via my current login process. This process uses ASP.NET to set up a session variable that is passed from page to page via query strings, as I am working on a server farm with multiple servers hosting the same web site.
    Now, what I want to do is:
    1. Lock down the subfolder holding these .exe files, so you cannot access them by typing in the full URL to the file in your address bar, without logging in first.
    2. Have ASP.NET code impersonate a valid user, who I set up on the server, who does have access to these files once the user has logged into my website via my ASP.NET code I run on the site.
    3. Switch back to the IUSR_[machine name] user once the download is complete.
    Can someone please suggest some resources I can read, to learn how to set up the security settings to do this, and the ASP.NET code I need to implement to impersonate a machine account, that has different security settings than the IUSR account.
    Thursday, November 2, 2006 9:13 PM

All replies

  • User1689648285 posted

    Hi,

     You can use IIS Password ISAPI to protect some sub directory or subdomain.

    http://www.troxo.com/products/iispassword/

     I am not sure about the other things u want to achieve but you can have a look at its features and functionality.

    Kind Regards

    Friday, November 3, 2006 1:45 AM
  • User-823196590 posted

    You you describe your login process? I'm assuming it's those accounts you want to use to protect the files.

    Basically you can place those exe files outside of your web root path (so there is no direct URL access) and use an aspx to binary read and response.binarywrite them to the browser.

    Something like this:
    http://www.microsoft.com/technet/community/columns/insider/iisi1105.mspx#EWB

    Friday, November 3, 2006 8:19 AM
  • User1042272884 posted
    You you describe your login process? I'm assuming it's those accounts you want to use to protect the files.
    Yes, your assumptions are more or less right.
     
    The site in question is a download site, that allows our customers to access data files they need. The files are not meant for public consumption, due to legal reasons, so I store the files in a subfolder to the main site, then use a series of ASP.NET pages to allow the customer to login.
     
    The first page is the login page, followed by a link page displaying these protected files. The problem is if the customer can guess the full path to the file, by looking at the HTML source, then type that full address including the filename in their address bar. This will give them the file by totally bypassing the login process.
     
    I have tried to tighten up security by removing the IUSR_[machine name] account from that subfolder, but then the web user cannot access the file at all. Also, as there are a LOT of users that will be using this resource, it is not practical to set up individual user accounts on the server itself. I am trying to keep everything tied back to our database as much as possible, without the need to manually update user accounts on the server itself.
     
    That aspx binary read, response write looks like a go, so I will check that out. I just want to ensure that the user can only access these files though our login process and not via a direct link to the file.
     
    I will update here as I progress, and let you know what works and what does not.
    Sunday, November 5, 2006 8:30 PM
  • User209782248 posted

    You dont need to write an ASPX page / handler that spools your binary files.  ASP.NET already comes with a static file handler fully capable of doing this.

    Here is all you need to do:

    1. Map .dll, .exe, etc to ASP.NET in the scriptmaps for your subdirectory.  This will make ASP.NET handler requests to these files for this subdirectory only, and it will be responsible for sending the files to the client.
    2. Create a web.config in your subdirectory, and add the following to it:

    <system.web>
         <authorization>
               <deny users="?" />
         </authorization>
         <httpHandlers>
              <add path="*.dll" verb="GET" type="System.Web.StaticFileHandler" />
              <add path="*.exe" verb="GET" type="System.Web.StaticFileHandler" />
         </httpHandlers>

    </system.web>

    Note: the <httpHandlers> section is only necessary if you are using ASP.NET 2.0.  ASP.NET 1.1 doesnt need it (dont ask me why unless you really want to :) ).

    This uses ASP.NET authorization to deny access to this subdirectory for anonymous users.  You can configure any rules you want here, including allowing access to specific users or specific roles only.  For more information, check out: http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/authorization.aspx.

    Thanks,

    Monday, November 6, 2006 3:16 AM
  • User-823196590 posted
    Excellent point, I always overlook that option!
    Monday, November 6, 2006 8:19 AM
  • User1042272884 posted
    Ahh, excellent. I will certainly check this out as I will give me another option to try. With that said, I did use the binary write idea and that does work well, so I will use that as a fall back option if I cannot get this method to work right.
     
    Cheers
    Monday, November 6, 2006 8:27 PM