What replaces .htaccess on IIS/ASP.NET sites?

Question

On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.

Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?

e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?

Answer 1

There are some things you can do with web.config like defining security settings etc... Other times you have to use HttpModules or HttpHandlers, look here: http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx

If not, you can find different ISAPI, but in this case you need access to IIS. For example, the ISAPI for emulating rewrite mod apache:

> http://www.codeplex.com/IIRF

The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.

Answer 2

There are two cases:

• If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
• If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...

That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.

Answer 3

Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:

<location path="Secret" allowOverride="false">
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
    <httpHandlers>
      <remove path="*.*" verb="*"/>
    </httpHandlers>
  </system.web>
</location>

I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.

Answer 4

Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.

http://learn.iis.net/page.aspx/473/using-urlscan

http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/

Answer 5

IIS automatically locks access to the /app_data folder, and will not serve content from there.