0

How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?

Thanks for help and fast answer

Mingebag
  • 748
  • 2
  • 20
  • 35

1 Answers1

1

Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.

To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.

Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.

The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.

Additional you can use a web.config on some directories to prevent the run of any aspx page as:

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

but this is not prevend to see files that are not pass from asp.net (like images) Also you can read How to find out which account my ASP.NET code is running under?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • Thanks allot for your help and your advices!! – Mingebag Apr 26 '13 at 07:31
  • in curiosity..(as im still a learner) how this will affect this particular situation as we are talking about security and related stuff – Vinayak Pahalwan Apr 26 '13 at 07:33
  • 1
    @Vinayak Is not let anyone to run/view any asp page. You can use it on directories that allow to users to upload files, to prevent from a user upload a virus aspx page and run it. – Aristos Apr 26 '13 at 07:34
  • 1
    @Vinayak See this example : http://stackoverflow.com/questions/4288362/ive-been-hacked-evil-aspx-file-uploaded-called-aspxspy-theyre-still-trying – Aristos Apr 26 '13 at 07:36