What replaces .htaccess on IIS/ASP.NET sites?

asp.net security iis
14,772

Solution 1

Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:

<location path="Secret" allowOverride="false">
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
    <httpHandlers>
      <remove path="*.*" verb="*"/>
    </httpHandlers>
  </system.web>
</location>

I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.

Solution 2

Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.

http://learn.iis.net/page.aspx/473/using-urlscan

http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/

Share:
14,772
Angry Dan
Author by

Angry Dan

web/software developer, .NET, C#, WPF, PHP, software trainer, English teacher, have philosophy degree, love languages, run marathons my tweets: http://www.twitter.com/edward_tanguay my runs: http://www.tanguay.info/run my code: http://www.tanguay.info/web my publications: PHP 5.3 training video (8 hours, video2brain) my projects: http://www.tanguay.info

Updated on June 12, 2022

Comments

  • Angry Dan
    Angry Dan almost 2 years

    On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.

    Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?

    e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?

  • netadictos
    netadictos over 12 years
    Of course, the answer has changed since 2008. .NET gives you more redirection possibilities nowadays

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
authentication issue with an intranet website running under IIS6
IIS tilde vulnerability issue
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
IIS reveals internal IP address in content-location field
What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
encrypting web.config failed error
What are the security effects of giving the IIS_IUSRS a Full Control permission?
IIS Returning Old User Names to my application