IIS7: How to block access with a web.config file?
I know that IIS7 allows me to have a per directory configuration with the web.config xml file. I have a directory with some configuration files that don't want to be web accessible. A local web.config file forbidding read access to it would be a nice solution.
What should be the contents of a web.config file to forbid web access to the files?
Edit: I'm trying to put a web.config file with these contents in a file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="*" /> <!-- Denies all users -->
</authorization>
</system.web>
</configuration>
But I can still directly access a file inside the directory. What's wrong with it? How do I debug what's happening?
Solution 1:
You're using system.web. In IIS7, you should use system.webServer instead. This will block all types of files, not just ASP.NET files. For example, you can password protect jpg, gif, txt and all types of files.
It would look something like this:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
And if you want to set it for just 1 file:
<location path="dontlook.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
Solution 2:
i think this can solve your problem.
place this web.config in directory that contain target directory :
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="target directory name"/>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>