IIS Security for Additional Files

I have a web sitre which users log into using an ASP page which verifies their details against a SQL database.

We now want to include a number of Excel spreadsheets onto the web site, but control which users can access which spreadsheets.

We will provide direct access to their permitted spreadsheets by providing the necessary hyperlinks on the web pages we deliver, but how do we stop them accessing an Excel sheet they are not supposed to view.

I do not want them to have to provide an NTFS user name and password if at all possible - we already know who they are through their previous logon.

Thanks in advance.

DuncFitzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave_DietzCommented:
If they are already authenticated to the webserver then it should be a simple matter to set proper NTFS permissions on the spreadsheets.  Simply grant Read (and Write if appropriate) permissions for the users on the files.

Dave Dietz
0
muzzy2003Commented:
Don't store them within the site, store them outside and deliver them through an ASP page. This can check the permissions, and if all is OK then read the contents of the spreadsheet from outside the site and then deliver them by reading them into a stream object, then writing the contents of that back to the Response object preceeded by the lines:

Response.AddHeader "Content-Disposition", "attachment;filename=yourspreadsheet.xls"
Response.ContentType = "application/x-msexcel"
0
muzzy2003Commented:
Or, less secure but easier, do the permission checking in an ASP page, which is what you give the link to (passing the spreadsheet name or other identifier in the querystring), and within that ASP page do a Response.Redirect.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

muzzy2003Commented:
Sorry, should add that for the second of my suggestions, the spreadsheets would have to remain within the site, and it is less secure because the URLs would then be guessable, so although attractively easy, it isn't really any more secure than only showing them the right links.
0
DuncFitzAuthor Commented:
I don't want to store them within the site because, as you say, they might be able to guess the urls.

I will try the first response from Muzzy2003 and see how we go....

Cheers,

Dunc.
0
muzzy2003Commented:
Shout if you need a hand with it ...
0
DuncFitzAuthor Commented:
Muzzy,

Say I have a spreadsheet call test.xls and it is stored in C:\temp.

The web site I am developing is in the c:\inetpub\wwwroot\testsite.

Can you please give an example of the code within an ASP page to deliver a hyperlink displaying 'Spreadhseet' which will open, or allow a user to download, test.xls, but which does not have a guessable url.

Thanks a lot.

Cheers,

Dunc.
0
muzzy2003Commented:
Dunc, something like this should work. Link:

href="downloadsheet.asp?name=test.xls"

downloadsheet.asp:

<%

Dim strSheet
Dim objStream

Const adReadAll = -1

strSheet = Request.QueryString("name")

Call Response.Clear()
Response.AddHeader "Content-Disposition", "attachment;filename=" & strSheet
Response.ContentType = "application/x-msexcel"

' DO WHATEVER PERMISSION CHECKING YOU NEED TO DO HERE - REDIRECT
' SOMEWHERE IF IT FAILS

Set objStream = Server.CreateObject("ADODB.Stream")
Call objStream.LoadFromFile("C:\temp\" & strSheet)
Call Response.BinaryWrite(objStream.Read(adReadAll))
Call objStream.Close()
Set objStream = Nothing

Call Response.End()

%>
0
DuncFitzAuthor Commented:
I can't get this to work.

If I run it as it is, then I get an Internal Error 500.

If I comment out the lines after the 'DO WHATEVER......' then the page will load and ask me if I want to Open or Save the spreadsheet.

The sheet it provides is a new sheet created by the browser, not my existing one I was expecting.

Cheers,

Dunc.
0
muzzy2003Commented:
Turn off friendly error messages to see what is really going on - Tools, Internet Options, Advanced, uncheck "Show friendly HTTP error messages". Then run the code again and post the real error message. It could be that you don't have a high enough version of MDAC to use ADODB.Stream, in which case I'll try to suggest an alternative.
0
DuncFitzAuthor Commented:
I got:

ADODB.Stream error '800a0e78'

Operation is not allowed when the object is closed.

/test_excel_link2.asp, line 26

So i put the command call objstream.open after the set objstream command and now get:

ADODB.Stream error '800a0c93'

Operation is not allowed in this context.

/test_excel_link2.asp, line 28

line 28 is:

call Response.BinaryWrite(objStream.Read(adReadAll))

Cheers,

Dunc.
0
muzzy2003Commented:
Break it down:

Dim varBytes
varBytes = objStream.Read(adReadAll)
Call Response.BinaryWrite(varBytes)

Let's see which half causes the problem.
0
DuncFitzAuthor Commented:
It is the

objStream.Read(adReadAll)

that causes the error.
0
muzzy2003Commented:
Put this in:

Response.Write objStream.Length
Response.End
0
muzzy2003Commented:
The XLS file does definitely exist, doesn't it? Does the IUSR_ account have read permissions on that directory?
0
DuncFitzAuthor Commented:
Hmmmm,

The Excel sheet is there - I have typed in it's path in the address box in IE and it loads and displays fine.

When I put in:

Response.Write objStream.Length
Response.End

I get:

Microsoft VBScript runtime error '800a01b6'

Object doesn't support this property or method: 'Length'

/test_excel_link2.asp, line 29

Also, I don't have a user IUSR_account - I am developing on a standalone XP Professional machine, using IIS 5.1 - could that be the problem?



0
muzzy2003Commented:
There should be an account named IUSR_<machinename>. Go to Computer Management, local users and groups. For now, since it's a standalone machine and your workstation, stick this account in the Administrators group and see if this fixes the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DuncFitzAuthor Commented:
YES! YES! YES!

After a bit of playing with the permissions and the code, I finally got the following to work.

<%
Dim objStream

Call Response.Clear()
Response.ContentType = "application/x-msexcel"
Response.AddHeader "Content-Disposition", "attachment;filename=linktest.xls"

Set objStream = Server.CreateObject("ADODB.Stream")
objstream.open
objstream.type=1
objStream.loadfromfile("C:\temp\linktest.xls")
response.BinaryWrite(objstream.read(-1))
objStream.Close()
Set objStream = Nothing
Response.End()

%>

What seemed to make the difference is the line objstream.type=1.

Without it, the system tried to open my asp page as a spreadsheet.

With it, it opened the excel file.

THanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.