Best Way to Protect Certain File Types in a Directory from Being Served

Question

I have a directory, "d:/resources/xxxxx/file-name.xxx" that stores the file types: .png, .xml, .pdf, which are accessed by a website. A virtual directory is set up in IIS, "resources," which points to this hard drive location, to allow the .png images to be accessed through an http request, but I am referencing the .pdf and .xml files by their hard drive location. These files are part of a workflow process so they must all remain in their current directory structure.

IIS needs to be allowed to serve the .png images, but I do not want it to be allowed to serve the .pdf or .xml files, for security purposes.

I tried setting up an http handler, which would have worked fine, but I can't make the path specific enough. If I set it to "/resources/*", then I need to manually output the allowed file types and that was getting a bit wonky. I can't set the path to "*.pdf" because other directories should be allowed to have their .pdf files accessed.

I'm just looking for a straight forward way to restrict access if someone tries to go to "www.mysite.com/resources/dir/mypdf.pdf," or ".../myxml.xml," but still allow .png and all other potential file types to be served.

Also, please let me know if I am going about this all the wrong way.

The best way in my opinion is to store them elsewhere. Because all permissions or config files may be lost. It happens. — Denys Séguret, Apr 30 '12 at 15:20

score 4 · Accepted Answer · edited Jul 11 '13 at 10:42

Try adding this before your closing tag for configuration and see how it does:

<location path="/resources">
    <system.webServer>
        <handlers>
            <add name="PdfForbiddenHandler" path="*.pdf" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
            <add name="XmlForbiddenHandler" path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" resourceType="File" preCondition="integratedMode" />
        </handlers>
    </system.webServer>
 </location>

Kibria · Answer 2 · 2012-04-30T17:51:54.900

1

To use the IIS (7.x, classic mode) Manager UI:

Expand your site and select the "resources" directory.
In Features View, double-click Handler Mappings.
In the grid, find the module mapping named 'StaticFile', double-click this item;
Enter the file name extension that are allowed e.g. *.png, *.gif etc.
Click OK.

enter image description here

edited Apr 30 '12 at 17:51

answered Apr 30 '12 at 16:34

Kibria

1,865
1
15
17

Best Way to Protect Certain File Types in a Directory from Being Served

2 Answers2