How to prevent users from accessing files directly in the website root Directory

Question

I am working with a classic asp website with the following setting:

• Anonymous Authentication Enabled
• Running on Port 80
• No IP Address and Domain Restriction
• No Request Filtering
• Enable Parent Paths = True
• Root folder is NOT shared by everyone

I am dealing with two security issues.

1) Users are currently able to access files (txt, pdf) by entering let's say "http://MyWebsite.com/test.txt". How to prevent users from accessing non asp files this way?

2) There are a couple of folders (ex. uploads) where application needs to have full access to. but again the user should not be able to type the physical path to gain access to such files under these folders. How can I set this up?

In a way I would like to create a IIS URL Rule Rewrite that only shows files that have .asp page in it. So I could have http://LocalHost/DisplayPDF.asp?ThePDF and be able to view the PDF but I want to prevent the user to go and enter http://LocalHost/ThePdf.pdf

My speculation is I would need to configure IIS correctly. Any recommendation is appreciated.

Answer 1

I'd make it work by creating a url rewrite rule for root directory files (to get rid of the inheritance-related problems) and removing static file handlers for subdirectories.

Place the following web.config in your application's root directory or modify existing one accordingly and do not forget to move the rule to an appropriate position if there are others.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
        <system.webServer>
            <rewrite>
                <rules>
                    <rule name="ROOT_FILE_CHECK">
                        <match url="^[^/]*$" />
                        <conditions>
                            <add input="{DOCUMENT_ROOT}\{R:0}" matchType="IsFile" />

                            <!-- allowed extensions -->
                            <add input="{REQUEST_FILENAME}" pattern="\.asp$" negate="true" />
                            <add input="{REQUEST_FILENAME}" pattern="\.allowed1$" negate="true" />
                            <add input="{REQUEST_FILENAME}" pattern="\.allowed2$" negate="true" />
                            <!-- allowed extensions -->
                        </conditions>
                        <action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="." />
                    </rule>
                </rules>
            </rewrite>
        </system.webServer>
</configuration>

And place the following web.config in each subdirectory you want to prevent access to files. This one removes static file handlers so static files in that directory become inaccessible.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <remove name="StaticFile" />
        </handlers>
    </system.webServer>
</configuration>