[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 845
  • Last Modified:

IIS Security for Additional Files

I have a web sitre which users log into using an ASP page which verifies their details against a SQL database.

We now want to include a number of Excel spreadsheets onto the web site, but control which users can access which spreadsheets.

We will provide direct access to their permitted spreadsheets by providing the necessary hyperlinks on the web pages we deliver, but how do we stop them accessing an Excel sheet they are not supposed to view.

I do not want them to have to provide an NTFS user name and password if at all possible - we already know who they are through their previous logon.

Thanks in advance.

0
DuncFitz
Asked:
DuncFitz
  • 10
  • 7
1 Solution
 
Dave_DietzCommented:
If they are already authenticated to the webserver then it should be a simple matter to set proper NTFS permissions on the spreadsheets.  Simply grant Read (and Write if appropriate) permissions for the users on the files.

Dave Dietz
0
 
muzzy2003Commented:
Don't store them within the site, store them outside and deliver them through an ASP page. This can check the permissions, and if all is OK then read the contents of the spreadsheet from outside the site and then deliver them by reading them into a stream object, then writing the contents of that back to the Response object preceeded by the lines:

Response.AddHeader "Content-Disposition", "attachment;filename=yourspreadsheet.xls"
Response.ContentType = "application/x-msexcel"
0
 
muzzy2003Commented:
Or, less secure but easier, do the permission checking in an ASP page, which is what you give the link to (passing the spreadsheet name or other identifier in the querystring), and within that ASP page do a Response.Redirect.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
muzzy2003Commented:
Sorry, should add that for the second of my suggestions, the spreadsheets would have to remain within the site, and it is less secure because the URLs would then be guessable, so although attractively easy, it isn't really any more secure than only showing them the right links.
0
 
DuncFitzAuthor Commented:
I don't want to store them within the site because, as you say, they might be able to guess the urls.

I will try the first response from Muzzy2003 and see how we go....

Cheers,

Dunc.
0
 
muzzy2003Commented:
Shout if you need a hand with it ...
0
 
DuncFitzAuthor Commented:
Muzzy,

Say I have a spreadsheet call test.xls and it is stored in C:\temp.

The web site I am developing is in the c:\inetpub\wwwroot\testsite.

Can you please give an example of the code within an ASP page to deliver a hyperlink displaying 'Spreadhseet' which will open, or allow a user to download, test.xls, but which does not have a guessable url.

Thanks a lot.

Cheers,

Dunc.
0
 
muzzy2003Commented:
Dunc, something like this should work. Link:

href="downloadsheet.asp?name=test.xls"

downloadsheet.asp:

<%

Dim strSheet
Dim objStream

Const adReadAll = -1

strSheet = Request.QueryString("name")

Call Response.Clear()
Response.AddHeader "Content-Disposition", "attachment;filename=" & strSheet
Response.ContentType = "application/x-msexcel"

' DO WHATEVER PERMISSION CHECKING YOU NEED TO DO HERE - REDIRECT
' SOMEWHERE IF IT FAILS

Set objStream = Server.CreateObject("ADODB.Stream")
Call objStream.LoadFromFile("C:\temp\" & strSheet)
Call Response.BinaryWrite(objStream.Read(adReadAll))
Call objStream.Close()
Set objStream = Nothing

Call Response.End()

%>
0
 
DuncFitzAuthor Commented:
I can't get this to work.

If I run it as it is, then I get an Internal Error 500.

If I comment out the lines after the 'DO WHATEVER......' then the page will load and ask me if I want to Open or Save the spreadsheet.

The sheet it provides is a new sheet created by the browser, not my existing one I was expecting.

Cheers,

Dunc.
0
 
muzzy2003Commented:
Turn off friendly error messages to see what is really going on - Tools, Internet Options, Advanced, uncheck "Show friendly HTTP error messages". Then run the code again and post the real error message. It could be that you don't have a high enough version of MDAC to use ADODB.Stream, in which case I'll try to suggest an alternative.
0
 
DuncFitzAuthor Commented:
I got:

ADODB.Stream error '800a0e78'

Operation is not allowed when the object is closed.

/test_excel_link2.asp, line 26

So i put the command call objstream.open after the set objstream command and now get:

ADODB.Stream error '800a0c93'

Operation is not allowed in this context.

/test_excel_link2.asp, line 28

line 28 is:

call Response.BinaryWrite(objStream.Read(adReadAll))

Cheers,

Dunc.
0
 
muzzy2003Commented:
Break it down:

Dim varBytes
varBytes = objStream.Read(adReadAll)
Call Response.BinaryWrite(varBytes)

Let's see which half causes the problem.
0
 
DuncFitzAuthor Commented:
It is the

objStream.Read(adReadAll)

that causes the error.
0
 
muzzy2003Commented:
Put this in:

Response.Write objStream.Length
Response.End
0
 
muzzy2003Commented:
The XLS file does definitely exist, doesn't it? Does the IUSR_ account have read permissions on that directory?
0
 
DuncFitzAuthor Commented:
Hmmmm,

The Excel sheet is there - I have typed in it's path in the address box in IE and it loads and displays fine.

When I put in:

Response.Write objStream.Length
Response.End

I get:

Microsoft VBScript runtime error '800a01b6'

Object doesn't support this property or method: 'Length'

/test_excel_link2.asp, line 29

Also, I don't have a user IUSR_account - I am developing on a standalone XP Professional machine, using IIS 5.1 - could that be the problem?



0
 
muzzy2003Commented:
There should be an account named IUSR_<machinename>. Go to Computer Management, local users and groups. For now, since it's a standalone machine and your workstation, stick this account in the Administrators group and see if this fixes the problem.
0
 
DuncFitzAuthor Commented:
YES! YES! YES!

After a bit of playing with the permissions and the code, I finally got the following to work.

<%
Dim objStream

Call Response.Clear()
Response.ContentType = "application/x-msexcel"
Response.AddHeader "Content-Disposition", "attachment;filename=linktest.xls"

Set objStream = Server.CreateObject("ADODB.Stream")
objstream.open
objstream.type=1
objStream.loadfromfile("C:\temp\linktest.xls")
response.BinaryWrite(objstream.read(-1))
objStream.Close()
Set objStream = Nothing
Response.End()

%>

What seemed to make the difference is the line objstream.type=1.

Without it, the system tried to open my asp page as a spreadsheet.

With it, it opened the excel file.

THanks for your help.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now