"Ken Schaefer" wrote:

> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> > Hello,
> >
> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
> > server running a Internet Application.;
> >
> > 1. What is the difference between MIME types & ISAPI filter.
>
> A MIME type is a header that the server sends back to the client to tell the
> client (e.g. browser) what type of file is coming.
>
> ISAPI is an extensibility API for IIS, which allows you to write code that
> extends the functionality of IIS
>
>
> > 2. How can I restrict a file (*.pdf) from being accessed directly from the
> > URL through ISAPI filter.
>
> You need to write an ISAPI filter that does that. You can use something like
> URLScan (which is an ISAPI filter from Microsoft) to prevent direct requests
> for .pdf files.
>
>
> > 3. How can i secure directories & files in II6.0
>
> There are lots of ways. You need to tell us what "secure" means in your
> case.
>
> Cheers
> Ken
>
>
>

"Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> Hello Ken,
>
> The problem I'm facing is that I'm able to secure the directories but not
> the documents (*.pdf). This is basically a upload folder in virtual
> directory
> which has read/write permission set.
>
> If the attacker is aware of the file name, he can directly access the file
> without even loggin in to the sytem by specifying the path in the URL.
>
> I would appreciate if you can guide me in how to secure basic entities
> that
> are not supposed to be accessed by the outside world.
>
> Thanks in advance.
>
> Ibrahim.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
>> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> > Hello,
>> >
>> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
>> > server running a Internet Application.;
>> >
>> > 1. What is the difference between MIME types & ISAPI filter.
>>
>> A MIME type is a header that the server sends back to the client to tell
>> the
>> client (e.g. browser) what type of file is coming.
>>
>> ISAPI is an extensibility API for IIS, which allows you to write code
>> that
>> extends the functionality of IIS
>>
>>
>> > 2. How can I restrict a file (*.pdf) from being accessed directly from
>> > the
>> > URL through ISAPI filter.
>>
>> You need to write an ISAPI filter that does that. You can use something
>> like
>> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> requests
>> for .pdf files.
>>
>>
>> > 3. How can i secure directories & files in II6.0
>>
>> There are lots of ways. You need to tell us what "secure" means in your
>> case.
>>
>> Cheers
>> Ken
>>
>>
>>

"Ken Schaefer" wrote:

> You can either:
> a) use NTFS permissions. The user needs a valid username/password to read
> the file
>
> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> they are not accessible directly). Instead you have an ASP.NET page (or ASP,
> or PHP, or whatever) that authenticates/authorizes the user. If the user is
> allowed to access the file, you read it off the disk (e.g. using the
> FileSystemObject) and stream it to the user
>
> Cheers
> Ken
>
> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> > Hello Ken,
> >
> > The problem I'm facing is that I'm able to secure the directories but not
> > the documents (*.pdf). This is basically a upload folder in virtual
> > directory
> > which has read/write permission set.
> >
> > If the attacker is aware of the file name, he can directly access the file
> > without even loggin in to the sytem by specifying the path in the URL.
> >
> > I would appreciate if you can guide me in how to secure basic entities
> > that
> > are not supposed to be accessed by the outside world.
> >
> > Thanks in advance.
> >
> > Ibrahim.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> > Hello,
> >> >
> >> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
> >> > server running a Internet Application.;
> >> >
> >> > 1. What is the difference between MIME types & ISAPI filter.
> >>
> >> A MIME type is a header that the server sends back to the client to tell
> >> the
> >> client (e.g. browser) what type of file is coming.
> >>
> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> that
> >> extends the functionality of IIS
> >>
> >>
> >> > 2. How can I restrict a file (*.pdf) from being accessed directly from
> >> > the
> >> > URL through ISAPI filter.
> >>
> >> You need to write an ISAPI filter that does that. You can use something
> >> like
> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> requests
> >> for .pdf files.
> >>
> >>
> >> > 3. How can i secure directories & files in II6.0
> >>
> >> There are lots of ways. You need to tell us what "secure" means in your
> >> case.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >>
>
>
>

"Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> Hi Ken,
>
> About your point # (a);
>
> Yes this is achieved. Permission are set. Having said that further the web
> site uses forms authentication mode, that means username/password are
> looked
> up in a database. No windows authentication is done.
>
> About your point # (b)
>
> The system uses a authentication mechanishm through forms authentication.
> Unauthroized access is prevented whenever Asp page are accessed, but when
> a
> document is accessed throught the URL directly then I need to authenticate
> forceful browsing too?
>
> Thanks in advance.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> You can either:
>> a) use NTFS permissions. The user needs a valid username/password to read
>> the file
>>
>> b) write your own authN mechanism. Store the PDFs outside the webroot (so
>> they are not accessible directly). Instead you have an ASP.NET page (or
>> ASP,
>> or PHP, or whatever) that authenticates/authorizes the user. If the user
>> is
>> allowed to access the file, you read it off the disk (e.g. using the
>> FileSystemObject) and stream it to the user
>>
>> Cheers
>> Ken
>>
>> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
>> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
>> > Hello Ken,
>> >
>> > The problem I'm facing is that I'm able to secure the directories but
>> > not
>> > the documents (*.pdf). This is basically a upload folder in virtual
>> > directory
>> > which has read/write permission set.
>> >
>> > If the attacker is aware of the file name, he can directly access the
>> > file
>> > without even loggin in to the sytem by specifying the path in the URL.
>> >
>> > I would appreciate if you can guide me in how to secure basic entities
>> > that
>> > are not supposed to be accessed by the outside world.
>> >
>> > Thanks in advance.
>> >
>> > Ibrahim.
>> >
>> >
>> >
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
>> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> >> > Hello,
>> >> >
>> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
>> >> > Win2003
>> >> > server running a Internet Application.;
>> >> >
>> >> > 1. What is the difference between MIME types & ISAPI filter.
>> >>
>> >> A MIME type is a header that the server sends back to the client to
>> >> tell
>> >> the
>> >> client (e.g. browser) what type of file is coming.
>> >>
>> >> ISAPI is an extensibility API for IIS, which allows you to write code
>> >> that
>> >> extends the functionality of IIS
>> >>
>> >>
>> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
>> >> > from
>> >> > the
>> >> > URL through ISAPI filter.
>> >>
>> >> You need to write an ISAPI filter that does that. You can use
>> >> something
>> >> like
>> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> >> requests
>> >> for .pdf files.
>> >>
>> >>
>> >> > 3. How can i secure directories & files in II6.0
>> >>
>> >> There are lots of ways. You need to tell us what "secure" means in
>> >> your
>> >> case.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>

"David Wang [Msft]" wrote:

> Your problem comes about because:
> 1. you are turning off IIS-enforced authentication/authorization
> requirements. You are using Forms Authentication which maps to one specific
> NT User account, and that User account already has access. Thus, anyone that
> can escape Forms Authentication, as you've discovered, has access to the
> resource. In other words, you are not using ACLs so ACLs won't help you.
>
> 2. You are using custom authentication mechanism and then forget to apply it
> to all web-accessible resources -- which you've noticed that attackers
> knowing the exact URL can sidestep your custom authentication.
>
>
> If you want ASP.Net based forms-authentication to apply to all resource
> types, then configure aspnet_isapi.dll as a Wildcard Application Mapping. Of
> course, doing this is technically not supported, and it takes a little more
> knowledge of ASP.Net and IIS6 and has some caveats to be aware of.
>
> I suggest reading the following blog entries to get an understanding of
> what's going on and hopefully you'll see what you need to do:
> http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_IIS_6_Request_Processing_Basics_Part_1.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/15/Why_Wildcard_application_mapping_can_disable_Default_Document_resolution.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/16/Why_Wildcard_application_mapping_is_not_catching_404s.aspx
> http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO_Run_Console_Applications_from_IIS6_on_Windows_Server_2003_Part_2.aspx
>
> FYI: all of this has nothing to do with ISAPI Filters nor MIME Types because
> you are talking about AuthN and AuthZ with ASP.Net.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> > Hi Ken,
> >
> > About your point # (a);
> >
> > Yes this is achieved. Permission are set. Having said that further the web
> > site uses forms authentication mode, that means username/password are
> > looked
> > up in a database. No windows authentication is done.
> >
> > About your point # (b)
> >
> > The system uses a authentication mechanishm through forms authentication.
> > Unauthroized access is prevented whenever Asp page are accessed, but when
> > a
> > document is accessed throught the URL directly then I need to authenticate
> > forceful browsing too?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> You can either:
> >> a) use NTFS permissions. The user needs a valid username/password to read
> >> the file
> >>
> >> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> >> they are not accessible directly). Instead you have an ASP.NET page (or
> >> ASP,
> >> or PHP, or whatever) that authenticates/authorizes the user. If the user
> >> is
> >> allowed to access the file, you read it off the disk (e.g. using the
> >> FileSystemObject) and stream it to the user
> >>
> >> Cheers
> >> Ken
> >>
> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> >> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> >> > Hello Ken,
> >> >
> >> > The problem I'm facing is that I'm able to secure the directories but
> >> > not
> >> > the documents (*.pdf). This is basically a upload folder in virtual
> >> > directory
> >> > which has read/write permission set.
> >> >
> >> > If the attacker is aware of the file name, he can directly access the
> >> > file
> >> > without even loggin in to the sytem by specifying the path in the URL.
> >> >
> >> > I would appreciate if you can guide me in how to secure basic entities
> >> > that
> >> > are not supposed to be accessed by the outside world.
> >> >
> >> > Thanks in advance.
> >> >
> >> > Ibrahim.
> >> >
> >> >
> >> >
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> >> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> >> > Hello,
> >> >> >
> >> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
> >> >> > Win2003
> >> >> > server running a Internet Application.;
> >> >> >
> >> >> > 1. What is the difference between MIME types & ISAPI filter.
> >> >>
> >> >> A MIME type is a header that the server sends back to the client to
> >> >> tell
> >> >> the
> >> >> client (e.g. browser) what type of file is coming.
> >> >>
> >> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> >> that
> >> >> extends the functionality of IIS
> >> >>
> >> >>
> >> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
> >> >> > from
> >> >> > the
> >> >> > URL through ISAPI filter.
> >> >>
> >> >> You need to write an ISAPI filter that does that. You can use
> >> >> something
> >> >> like
> >> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> >> requests
> >> >> for .pdf files.
> >> >>
> >> >>
> >> >> > 3. How can i secure directories & files in II6.0
> >> >>
> >> >> There are lots of ways. You need to tell us what "secure" means in
> >> >> your
> >> >> case.
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

"Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> Hi Ken,
>
> About your point # (a);
>
> Yes this is achieved. Permission are set. Having said that further the web
> site uses forms authentication mode, that means username/password are
> looked
> up in a database. No windows authentication is done.
>
> About your point # (b)
>
> The system uses a authentication mechanishm through forms authentication.
> Unauthroized access is prevented whenever Asp page are accessed, but when
> a
> document is accessed throught the URL directly then I need to authenticate
> forceful browsing too?
>
> Thanks in advance.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> You can either:
>> a) use NTFS permissions. The user needs a valid username/password to read
>> the file
>>
>> b) write your own authN mechanism. Store the PDFs outside the webroot (so
>> they are not accessible directly). Instead you have an ASP.NET page (or
>> ASP,
>> or PHP, or whatever) that authenticates/authorizes the user. If the user
>> is
>> allowed to access the file, you read it off the disk (e.g. using the
>> FileSystemObject) and stream it to the user
>>
>> Cheers
>> Ken
>>
>> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
>> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
>> > Hello Ken,
>> >
>> > The problem I'm facing is that I'm able to secure the directories but
>> > not
>> > the documents (*.pdf). This is basically a upload folder in virtual
>> > directory
>> > which has read/write permission set.
>> >
>> > If the attacker is aware of the file name, he can directly access the
>> > file
>> > without even loggin in to the sytem by specifying the path in the URL.
>> >
>> > I would appreciate if you can guide me in how to secure basic entities
>> > that
>> > are not supposed to be accessed by the outside world.
>> >
>> > Thanks in advance.
>> >
>> > Ibrahim.
>> >
>> >
>> >
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
>> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> >> > Hello,
>> >> >
>> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
>> >> > Win2003
>> >> > server running a Internet Application.;
>> >> >
>> >> > 1. What is the difference between MIME types & ISAPI filter.
>> >>
>> >> A MIME type is a header that the server sends back to the client to
>> >> tell
>> >> the
>> >> client (e.g. browser) what type of file is coming.
>> >>
>> >> ISAPI is an extensibility API for IIS, which allows you to write code
>> >> that
>> >> extends the functionality of IIS
>> >>
>> >>
>> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
>> >> > from
>> >> > the
>> >> > URL through ISAPI filter.
>> >>
>> >> You need to write an ISAPI filter that does that. You can use
>> >> something
>> >> like
>> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> >> requests
>> >> for .pdf files.
>> >>
>> >>
>> >> > 3. How can i secure directories & files in II6.0
>> >>
>> >> There are lots of ways. You need to tell us what "secure" means in
>> >> your
>> >> case.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>

"Ken Schaefer" wrote:

> You are not using NTFS permissions - you are using a feature of ASP.NET
> (forms authentication), which only works (by default) for files processed by
> the ASP.NET ISAPI extension. For an explanation ofwhat is happening (and a
> diagram that makes it easier to understand) see:
> http://www.microsoft.com/technet/community/columns/insider/iisi1005.mspx#ELG
>
> That also has instructions on how to configure additional file types to be
> handled by ASP.NET
>
> Cheers
> Ken
>
> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> > Hi Ken,
> >
> > About your point # (a);
> >
> > Yes this is achieved. Permission are set. Having said that further the web
> > site uses forms authentication mode, that means username/password are
> > looked
> > up in a database. No windows authentication is done.
> >
> > About your point # (b)
> >
> > The system uses a authentication mechanishm through forms authentication.
> > Unauthroized access is prevented whenever Asp page are accessed, but when
> > a
> > document is accessed throught the URL directly then I need to authenticate
> > forceful browsing too?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> You can either:
> >> a) use NTFS permissions. The user needs a valid username/password to read
> >> the file
> >>
> >> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> >> they are not accessible directly). Instead you have an ASP.NET page (or
> >> ASP,
> >> or PHP, or whatever) that authenticates/authorizes the user. If the user
> >> is
> >> allowed to access the file, you read it off the disk (e.g. using the
> >> FileSystemObject) and stream it to the user
> >>
> >> Cheers
> >> Ken
> >>
> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> >> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> >> > Hello Ken,
> >> >
> >> > The problem I'm facing is that I'm able to secure the directories but
> >> > not
> >> > the documents (*.pdf). This is basically a upload folder in virtual
> >> > directory
> >> > which has read/write permission set.
> >> >
> >> > If the attacker is aware of the file name, he can directly access the
> >> > file
> >> > without even loggin in to the sytem by specifying the path in the URL.
> >> >
> >> > I would appreciate if you can guide me in how to secure basic entities
> >> > that
> >> > are not supposed to be accessed by the outside world.
> >> >
> >> > Thanks in advance.
> >> >
> >> > Ibrahim.
> >> >
> >> >
> >> >
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> "Ibrahim." <Ibra***@discussions.microsoft.com> wrote in message
> >> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> >> > Hello,
> >> >> >
> >> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
> >> >> > Win2003
> >> >> > server running a Internet Application.;
> >> >> >
> >> >> > 1. What is the difference between MIME types & ISAPI filter.
> >> >>
> >> >> A MIME type is a header that the server sends back to the client to
> >> >> tell
> >> >> the
> >> >> client (e.g. browser) what type of file is coming.
> >> >>
> >> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> >> that
> >> >> extends the functionality of IIS
> >> >>
> >> >>
> >> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
> >> >> > from
> >> >> > the
> >> >> > URL through ISAPI filter.
> >> >>
> >> >> You need to write an ISAPI filter that does that. You can use
> >> >> something
> >> >> like
> >> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> >> requests
> >> >> for .pdf files.
> >> >>
> >> >>
> >> >> > 3. How can i secure directories & files in II6.0
> >> >>
> >> >> There are lots of ways. You need to tell us what "secure" means in
> >> >> your
> >> >> case.
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>