16

I know that by defualt IIS won't server App_Data or bin folders content to the public.
How to set one more folder to don't server to public?

Amr Elgarhy
  • 66,568
  • 69
  • 184
  • 301

3 Answers3

32

The proper way to do that is using this:

<configuration>
   <system.webServer>
       <security>
          <requestFiltering>
               <hiddenSegments>
                   <add segment="My_Directory" />
               </hiddenSegments>
           </requestFiltering>
       </security>
   </system.webServer>
</configuration>

This allows you to still access files located there from the IUSR account, but prevents actual requests for files there from being filled directly.

Note that this will block files in that directory, and any subdirectories, no matter where that directory occurs - even if it, itself, is a sub-directory of something else.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • 1
    The above code should be placed in a web.config file in the same directory as the directory you want to deny access from. I tested putting it in my root level web.config, and it blocked access to the entire site. Putting it in a separate web.config file in the same directory returns a 404 error when attempting to access the directory (though I'm sure the type of error it returns can be changed in IIS). – Tiffany Aug 17 '17 at 15:41
  • Mostly obvious, but.. "My_Directory" is not literal and should be the name of your directory! – Chris O Jan 18 '19 at 19:09
3

As the link-only answer points out, hiddenSegments is the right tool for the job. Go to IIS then the site and in Features find Request Filtering (must be installed at Server Manager) now add directory name that you want to prevent access to, or any segment of the URL really. This approach does require that a unique url or directory name be used in the site, otherwise any other occurrence of the segment at any level in the url, will cause that request to be blocked:

http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments

Serj Sagan
  • 28,927
  • 17
  • 154
  • 183
1

Remove IIS_IUSR permissions from that folder.

I think its generically under the "Internet Guest Account"

castis
  • 8,154
  • 4
  • 41
  • 63
  • 4
    If you do that, you may also be blocking any ability to access those files via the web application at all, which is probably not what is intended. – Andrew Barber Oct 27 '10 at 23:38
  • I Removing the IIS_IUSR will work in my case, I want to save there users uploads, now I am saving them on somewhere out side the website folder on the c: drive, and this uploads folder does not have IIS_IUSR permission and I still can access it from my website code. – Amr Elgarhy Oct 27 '10 at 23:57