IIS Server Security, Allow file download only to subscribers

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> Allow file download only to subscribers

by John Kotuby » Wed, 14 Jan 2004 19:49:42 GMT

I have created a site with ASP (Active Server Pages). That requires a login
validated by an Access database. There is a file that I wish to be
accessible for download only by registered subscribers. All my ASP pages
check for the Userid/Password variables that I have set up, so a
non-subscriber gets bumped back to the login if they try to navigate
directly to a page other than the login. A subscriber with download rights
sees a link on their page to the file. However, if a non-subscriber enters
the exact path to the file, it gets downloaded anyway. I once tried a method
that forces an FTP from the server, but some subscribers complained that
they could not receive the file (firewall maybe?). How can I secure that
file? I'm sure there is a simple way, but I haven't found it yet. Thanks for
your help.



Top

IIS Server Security >> Allow file download only to subscribers

by Paul Lynch » Wed, 14 Jan 2004 21:15:56 GMT


On Wed, 14 Jan 2004 06:49:42 -0500, "John Kotuby"



IIS has its own very powerful and flexible security model which you
can leverage to protect your web content. Using both IIS and
underlying NTFS permissions you can effectively lock down any content
on your server.

Read these KB articles :

HOW TO: Use NTFS Security to Protect a Web Page Running on IIS 4.0 or
5.0
http://support.microsoft.com/?id=299970

HOW TO: Configure Web Server Permissions for Web Content in IIS
http://support.microsoft.com/?id=313075

Or you can 'roll your own' :

How do I control access to an area?
http://www.aspfaq.com/show.asp?id=2114


Regards,

Paul Lynch
MCSE


Top

IIS Server Security >> Allow file download only to subscribers

by Tom Kaminski [MVP] » Wed, 14 Jan 2004 21:35:15 GMT





Use this in conjunction with placing the files outside of your wwwroot path
(so they don't have a directly accessible URL) and using an ASP with
ADODB.Stream and Response.BinaryWrite to serve the document to the client
once they authenticate.

http://support.microsoft.com/?kbid=276488

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools , scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/




Top

Allow file download only to subscribers

by John Kotuby » Wed, 14 Jan 2004 23:58:01 GMT

Thank you both Paul and Tom for your quick and helpful replies. As an IT
Manager for a small company I often find myself in the position of "Jack of
all trades and Master of none." But I still need to get the job done.
Newsgroup responses have gotten me out of hot water many times. Because our
site is hosted on a remote IIS Server, I cannot readily set file
permissions, so I have opted for the ASP method of security and the
ADODB.Stream and Response.BinaryWrite technique. The key to all of this is
the suggestion to place the file outside the wwwroot path. What a simple and
elegant answer indeed. Thanks again.





path
IIS



Top
Similar Threads

1. Allowing download of files 

I have an Windows 2003 Server, and I want use this as Web 
Server.
I have enabled Directory Browsing and WebDAV.
When somebody tries to make download of some normal archive
(.txt, .exe, .doc, .xls) functions normally. But, when I 
try to make download of some diferente archive (.sql, for 
example), it returns this message:
--------
"The page cannot be found
The page you are looking for might have been removed, had 
its name changed, or is temporarily unavailable. 

Please try the following:

Make sure that the Web site address displayed in the 
address bar of your browser is spelled and formatted 
correctly. 
If you reached this page by clicking a link, contact the 
Web site administrator to alert them that the link is 
incorrectly formatted. 
Click the Back button to try another link. 
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a 
title search for the words HTTP and 404. 
Open IIS Help, which is accessible in IIS Manager 
(inetmgr), and search for topics titled Web Site Setup, 
Common Administrative Tasks, and About Custom Error 
Messages. "
--------

Somebody can help me?

Detail: I am from Brazil, and I'm not speak English very 
well.

Thanks

2. IIS 6 and Win2k3 wont allow .ZIP files to be download FROM them

3. Slow page loads for AOL subscribers 

Hi all,

I run a website that has a number of subscribers in the UK. I've
recently received a number of complaints of slow page loads, all of
these from subscribers using AOL UK as an ISP.

Is this a common problem? Is there anything I can do to ensure a
faster page load for these clients?

I've tried to contact AOL but no one there seems to be able to help.
Is there another contact address/phone number at AOL that I can use?

Thanks,

Paul

4. Allow download of an .exe

5. Allow .exe downloads on IIS 6.0 

Hello,

What is the correct method to allow .exe files to be downloaded or run from 
a web site on an IIS 6.0 server?

I am currently receiving a 404.2 error message in my browser when I try to 
open/download the executable files, and I am not sure which Web Service 
Extensions configuration changes must be made to allow this.

Thanks in advance,

Jon

6. OMA download descriptor (dd) file download

7. How to make IIS allow more than 2 simultaneous downloads

8. IIS 6 allow download of .ams extension