|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
file protectionany setting can protect the special folder that not allow user to download
from browser/url, but the files/directories can access by aspx/asp script(Content Management System), how i can setup this up? use NTFS permission or IIS can do this?? e.g: userA type http://localhost/website1/download/doc1.doc , system will show incorrect or password protected message. When userA access the CMS with application's loginid & pwd, they can upload and replace doc1.doc though asp/aspx script without any permission problem Any ideas? pls comments and advise. Thanks. ASP/ASPX page can change any file on the file system (assuming it has NTFS
permissions). So, simply locate the documents *outside* the web site's root folder. Cheers Ken Show quoteHide quote "beachboy" <jpsteam***@yahoo.com.hk> wrote in message news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl... > any setting can protect the special folder that not allow user to download > from browser/url, but the files/directories can access by aspx/asp > script(Content Management System), how i can setup this up? use NTFS > permission or IIS can do this?? > > e.g: > userA type http://localhost/website1/download/doc1.doc , system will show > incorrect or password protected message. When userA access the CMS with > application's loginid & pwd, they can upload and replace doc1.doc though > asp/aspx script without any permission problem > > Any ideas? pls comments and advise. Thanks. > > oh.. sorry . this is one requirement of my infrastructure.
- protected folder must within website's root folder any comments and advise. Thanks in advanced. Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> ¦b¶l¥ó news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl ¤¤¼¶¼g... > ASP/ASPX page can change any file on the file system (assuming it has NTFS > permissions). > > So, simply locate the documents *outside* the web site's root folder. > > Cheers > Ken > > > "beachboy" <jpsteam***@yahoo.com.hk> wrote in message > news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl... > > any setting can protect the special folder that not allow user to download > > from browser/url, but the files/directories can access by aspx/asp > > script(Content Management System), how i can setup this up? use NTFS > > permission or IIS can do this?? > > > > e.g: > > userA type http://localhost/website1/download/doc1.doc , system will show > > incorrect or password protected message. When userA access the CMS with > > application's loginid & pwd, they can upload and replace doc1.doc though > > asp/aspx script without any permission problem > > > > Any ideas? pls comments and advise. Thanks. > > > > > > Open IIS Manager, and locate the folder where your protected content is.
Remove the "Read" permission from that folder. That will stop direct requests for static files in that folder. Cheers Ken Show quoteHide quote "beachboy" <jpsteam***@yahoo.com.hk> wrote in message news:ux6VfUX1GHA.4108@TK2MSFTNGP04.phx.gbl... > oh.. sorry . this is one requirement of my infrastructure. > - protected folder must within website's root folder > > any comments and advise. Thanks in advanced. > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> ¦b¶l¥ó > news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl ¤¤¼¶¼g... >> ASP/ASPX page can change any file on the file system (assuming it has >> NTFS >> permissions). >> >> So, simply locate the documents *outside* the web site's root folder. >> >> Cheers >> Ken >> >> >> "beachboy" <jpsteam***@yahoo.com.hk> wrote in message >> news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl... >> > any setting can protect the special folder that not allow user to > download >> > from browser/url, but the files/directories can access by aspx/asp >> > script(Content Management System), how i can setup this up? use NTFS >> > permission or IIS can do this?? >> > >> > e.g: >> > userA type http://localhost/website1/download/doc1.doc , system will > show >> > incorrect or password protected message. When userA access the CMS with >> > application's loginid & pwd, they can upload and replace doc1.doc >> > though >> > asp/aspx script without any permission problem >> > >> > Any ideas? pls comments and advise. Thanks. >> > >> > >> >> > > Or, just create a "virtual" folder (Right click, new, virtual folder) with
the same name as the folder you want to protect. Map it to the root of your web. That will avoid user/pass and permission issues, and prevent anybody from using HTTP to access the folder. You can then use FTP, or ASP (which isn't talking to the web server at that level) to store and pull or put files there normally. Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:OTH%23OMa1GHA.1336@TK2MSFTNGP03.phx.gbl... > Open IIS Manager, and locate the folder where your protected content is. > Remove the "Read" permission from that folder. That will stop direct > requests for static files in that folder. > > Cheers > Ken > > "beachboy" <jpsteam***@yahoo.com.hk> wrote in message > news:ux6VfUX1GHA.4108@TK2MSFTNGP04.phx.gbl... >> oh.. sorry . this is one requirement of my infrastructure. >> - protected folder must within website's root folder >> >> any comments and advise. Thanks in advanced. >> >> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> ¦b¶l¥ó >> news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl ¤¤¼¶¼g... >>> ASP/ASPX page can change any file on the file system (assuming it has >>> NTFS >>> permissions). >>> >>> So, simply locate the documents *outside* the web site's root folder. >>> >>> Cheers >>> Ken >>> >>> >>> "beachboy" <jpsteam***@yahoo.com.hk> wrote in message >>> news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl... >>> > any setting can protect the special folder that not allow user to >> download >>> > from browser/url, but the files/directories can access by aspx/asp >>> > script(Content Management System), how i can setup this up? use NTFS >>> > permission or IIS can do this?? >>> > >>> > e.g: >>> > userA type http://localhost/website1/download/doc1.doc , system will >> show >>> > incorrect or password protected message. When userA access the CMS >>> > with >>> > application's loginid & pwd, they can upload and replace doc1.doc >>> > though >>> > asp/aspx script without any permission problem >>> > >>> > Any ideas? pls comments and advise. Thanks. >>> > >>> > >>> >>> >> >> > > Erm, how would this work? What's to stop the "bad guy" just typing in the
URL to the file? Cheers Ken Show quoteHide quote "Funkadyleik Spynwhanker" <youreallywantoemailmepu***@winblows.gov> wrote in message news:9%eNg.798$5i7.189@newsreading01.news.tds.net... > Or, just create a "virtual" folder (Right click, new, virtual folder) with > the same name as the folder you want to protect. Map it to the root of > your web. > > That will avoid user/pass and permission issues, and prevent anybody from > using HTTP to access the folder. You can then use FTP, or ASP (which > isn't talking to the web server at that level) to store and pull or put > files there normally. > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:OTH%23OMa1GHA.1336@TK2MSFTNGP03.phx.gbl... >> Open IIS Manager, and locate the folder where your protected content is. >> Remove the "Read" permission from that folder. That will stop direct >> requests for static files in that folder. >> >> Cheers >> Ken >> >> "beachboy" <jpsteam***@yahoo.com.hk> wrote in message >> news:ux6VfUX1GHA.4108@TK2MSFTNGP04.phx.gbl... >>> oh.. sorry . this is one requirement of my infrastructure. >>> - protected folder must within website's root folder >>> >>> any comments and advise. Thanks in advanced. >>> >>> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> ¦b¶l¥ó >>> news:u600yCW1GHA.772@TK2MSFTNGP05.phx.gbl ¤¤¼¶¼g... >>>> ASP/ASPX page can change any file on the file system (assuming it has >>>> NTFS >>>> permissions). >>>> >>>> So, simply locate the documents *outside* the web site's root folder. >>>> >>>> Cheers >>>> Ken >>>> >>>> >>>> "beachboy" <jpsteam***@yahoo.com.hk> wrote in message >>>> news:OW$xQ8V1GHA.4816@TK2MSFTNGP06.phx.gbl... >>>> > any setting can protect the special folder that not allow user to >>> download >>>> > from browser/url, but the files/directories can access by aspx/asp >>>> > script(Content Management System), how i can setup this up? use NTFS >>>> > permission or IIS can do this?? >>>> > >>>> > e.g: >>>> > userA type http://localhost/website1/download/doc1.doc , system will >>> show >>>> > incorrect or password protected message. When userA access the CMS >>>> > with >>>> > application's loginid & pwd, they can upload and replace doc1.doc >>>> > though >>>> > asp/aspx script without any permission problem >>>> > >>>> > Any ideas? pls comments and advise. Thanks. >>>> > >>>> > >>>> >>>> >>> >>> >> >> > > 
Other interesting topics
security between serving files from a fileshare
Copy website to same server Recommendations for securing IIS 6.0 as a public web server Get a new CRL every 1h with IIS6 ? Is it possible to use the Windows 2003 user names instead of pre-Windows 2000 user names in Windows IIS 6 authentication problem iis6 password protected file issue Medium trust and HTTP handlers - help! Full trust and medium trust in .net and websites Setup IIS with Client Certificates |
|||||||||||||||||||||||
