IIS7: How to block access with a web.config file?

Question

I know that IIS7 allows me to have a per directory configuration with the web.config xml file. I have a directory with some configuration files that don't want to be web accessible. A local web.config file forbidding read access to it would be a nice solution.

What should be the contents of a web.config file to forbid web access to the files?

Edit: I'm trying to put a web.config file with these contents in a file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
            <system.web>
                    <authorization>
                            <deny users="*" /> <!-- Denies all users -->
                    </authorization>
            </system.web>
</configuration>

But I can still directly access a file inside the directory. What's wrong with it? How do I debug what's happening?

score 12 · Answer 1 · answered Oct 09 '09 at 02:39

You're using system.web. In IIS7, you should use system.webServer instead. This will block all types of files, not just ASP.NET files. For example, you can password protect jpg, gif, txt and all types of files.

It would look something like this:

  <system.webServer>
      <security>
          <authorization>
              <remove users="*" roles="" verbs="" />
              <add accessType="Allow" roles="Administrators" />
          </authorization>
      </security>
  </system.webServer>

And if you want to set it for just 1 file:

 <location path="dontlook.jpg">
     <system.webServer>
         <security>
             <authorization>
                 <remove users="*" roles="" verbs="" />
                 <add accessType="Allow" roles="Administrators" />
             </authorization>
         </security>
     </system.webServer>
 </location>

score 6 · Answer 2 · answered Dec 04 '12 at 22:43

i think this can solve your problem.
place this web.config in directory that contain target directory :

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="target directory name"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

score 4 · Answer 3 · answered Oct 08 '09 at 19:50

You can use the Location nodes on the Web.config. Here is a detailed explanation on msdn ; in a nutshell:

<location path="Subdirectory">
    <system.web>
        <authorization>
            <deny users="*"/> <!-- Denies all users -->
        </authorization>
    </system.web>
</location>
<location path="Public_Directory">
    <system.web>
        <authorization>
            <allow users="*"/> <!-- Allows all users -->
        </authorization>
    </system.web>
</location>

You can also use the ? wildcard to specify that you should (allow/deny) anonymous users

score 0 · Answer 4 · edited Jun 07 '15 at 17:01

0

* means every logged in user.
? means anonymous users.

You must use ?.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authorization>
            <deny users="?" /> 
        </authorization>
    </system.web>
</configuration>

edited Jun 07 '15 at 17:01

Falcon Momot

25,584

answered Jun 07 '15 at 10:11

Marooned

1

IIS7: How to block access with a web.config file?

4 Answers4

Linked