Deny access to directory in IIS 6.0

Question

Hi.

How can I deny access to particular directory in IIS. In Apache I could just add .htaccess file:

Order allow,deny
Deny from all

to Logs or cache directory and nobody will allowed to see any content in that directory.

However when I add Web.config:

<?xml version="1.0"?>
<configuration>

    <system.web>
      <authorization>        
        <deny users="*"/>
      </authorization>
    </system.web>

</configuration>

it works only for files handled by asp and doesn't work for i.e. log.txt.

I don't have access to IIS server, I can only add and change files.

Thanks in advance for help.

Answer 1

In IIS6 when you open folder properties you will see a checkbox labeled "Read". Try unsettling it

Answer 2

If you don't have access to IIS, do you at least have access to the file system? As in, can you set security on folders?

If so, go to the security tab on the particular folder and remove all rights to whatever guest account the site is running under.

Seeing as the only .net file are handled by the .net process and security model under IIS 6 (which you learned), I don't see what else you can do.

One other possibility - that may not work in your application - you could move all non .net files that require permission into the /App_Data/ folder. .Net does seem to just into the pipeline and prevent these files from being loaded. You could stream them instead.

FYI - if you DID have access to IIS this is a good article on how to restrict access to non .net files:

http://quickstarts.asp.net/QuickStartv20/aspnet/doc/tipstricks/default.aspx#securingnonaspnetcontent

Answer 3

Go to the folder properties in IIS Manager -> Directory Security tab -> Authentication and access control. Uncheck 'Anonimous access' checkbox and disable all the authentication methods below.

There is no built-in file-based access management like htaccess. This can be achieved using third-party ISAPI modules like Helicon Ape