0

I have been using the code below in web.config as a simple way to secure asp.net files for an admin site for several domain users. Iā€™d like to be able to use this simple method to secure classic asp and other files on IIS 7.5. That way I could use XCOPY type deployment instead of having to set permissions on NTFS or in IIS.

The asp.net version is 4.0 and the App Pool is running in 32 bit mode. I post this question since I have done a decent amount of research and found little information this topic in IIS 7.5.

This web.config code secures asp.net files, but what is the best practice to secure the other files?

<system.web>
  <authorization>
    <allow users="domain\user1,domain\user2"/>
    <deny users="*"/>
  </authorization>
</system.web>
SteveBradford
  • 93
  • 1
  • 6

1 Answers1

1

AFAIK there is no similar mechanism for asp classic (no web.config htacesss list etc) but there are workarounds as described in this StackOverflow post .htaccess or .htpasswd equivalent on IIS?.

Community
  • 1
  • 1
Neil Thompson
  • 6,356
  • 2
  • 30
  • 53
  • I found this on StackOverflow link:http://stackoverflow.com/questions/2903292/how-do-i-protect-static-files-with-asp-net-form-auhentication-on-iis-7-5?rq=1 It talks about Forms authentication, not Windows auth. I was hoping there would be a variant of this technique that could work. ā€“ SteveBradford Aug 28 '12 at 18:39
  • I don't think there is because classic asp files are processed through an ISAPI extension called ASP.dll which is not 'run' through asp.net - I can see your thinking and it would work for serving the raw code of a classic asp page back to authorised clients as text - but it would not return a processed page ie: a page that is the static html plus the output of the classic asp.dll. ā€“ Neil Thompson Aug 28 '12 at 20:45
  • I wonder if the asp.net could process (authenticate) the files first and then ASP.dll could be called. Otherwise it's looking like Helicon Ape [link](http://www.helicontech.com/ape/) is looking like the best bet. ā€“ SteveBradford Aug 29 '12 at 16:11