2

  1. I would like to be able to hide the existence of folders in my DotNet 2.0 website which is being hosted via IIS 7.5 that contain files that must continue to be accessible. For example, I want a person's web browser to be able to retrieve the file domain.com/css/style.css (which is needed to render the page) but if the person tries to access the URLs domain.com/css/ or domain.com/css I want them to receive a 404 error. (not a 403 error)

  2. By default IIS 7.5 will give a 403 error which would still allow an attacker to know about the existence of the folder. I realize that an attacker could easily discover the existence of the "css" folder by visiting the site in their browser and seeing that files are being pulled from the "css" folder. That said, this is a requirement of the project that I have to comply with.

  3. In IIS6 I used to be able to set the hidden attribute for the folder which would give me the 404 behavior I wanted, but this is no longer the case in IIS7.5. (IIS 7.5 gives a 500 error if I try to do this) IIS 7.5 is another requirement of this project. Also, in IIS6 I want able to create a wildcard mapping that would cause all requests to route through DotNet which would then allow me to create a 404, but again, this does not appear to work on IIS7.5.

  4. I have already tried creating handlers in the web.config ( node) which works on my staging system but not on my production system. Also, this method seems like overkill because I have to create a c# handler and have a handler entry in the web.config for each folder I want to hide. I'd like a simpler solution, but also, the solution just seems to not work on my production system.

  5. Ideally, requests to the folder that do not include the trailing forward slash should NOT cause a 301 redirect but should also cause a 404.

Kjuly
  • 34,476
  • 22
  • 104
  • 118
scibile
  • 41
  • 2

1 Answers1

0

You could always put a handler/ASPX page as the default page for directories, and have that handler return a 404 error code.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • Thank you for the help, this seems to work. This solution still allows the 301 error to happen though when you try to access the directory in your web browser without the trailing forward slash. Is there a way to avoid that? – scibile Oct 17 '12 at 23:26
  • The 301 points at the version of the URL that DOES contain the trailing forward slash. (so there end up being two requests from the web browser to the server) This new URL (containing the trailing forward slash) then generates a 404, but the fact that there is an interstitial 301 implies that the directory (or something) is there which I am trying to hide. – scibile Oct 17 '12 at 23:41
  • I ended up going with your solution of using a separate default.aspx page for each directory that I want to hide and having the default.aspx page return the desired 404 error code. I still end up with the 301 redirect issue, but this is the best solution I have been able to find and get working so far. Thanks again for the help. – scibile Oct 25 '12 at 20:36