How to Prevent direct access to files and folders in asp.net?

Question

I have deployed a web application on IIS7 and the application has mail attachment files saved on webserver\'s Attachments folder and it\'s working fine when the

Answer 1

Managed to block XML direct access in IIS and still allowing the app to query the file with the following rule:

<rule name="Prevent XML direct access" enabled="true" stopProcessing="true">
<match url=".*filename\.xml$" />
<conditions>
    <add input="{QUERY_STRING}" pattern="^part_of_query.*$" negate="true" />
</conditions>
<action type="Redirect" url="/error" appendQueryString="false" />

Answer 2

The problem is that the .pdf extension isn't caught by the ASP.NET handlers, since that isn't a file type that is mapped to ASPNET_ISAPI (aka the ASP.NET HTTP Runtime). Hence the filtering in your web.config file doesn't apply to those files.

You have two options:

1. Map all file extensions (or at least pdf files in this case) to ASPNET_ISAPI using the IIS configuration panel. Note that this will increase the load on your server since the overhead of IIS on itself is lower than IIS + ASP.NET;
2. Use an HTTP handler that gets the file for you. This allows you to do some fine grained authorization checks on the file access too. See the Introduction to HTTP Handlers.

Answer 3

I think the easiest thing to do is add the runAllManagedModulesForAllRequests attribute to your modules section in web.config, like so:

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true" /> 
</system.webServer>

Answer 4

The best solution for this problem is the create a HTTP Handler in which you can restrict download files based on certain conditions. check this link for more information