[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Secure the C:\Inetpub\wwwroot

Posted on 2006-03-30
14
Medium Priority
?
697 Views
Last Modified: 2008-02-01
Hi there,
is there a way that i can secure this folder to prevent users that may know the path? what i want to achieve is that users are only allow to see it the files through the application but not any other way. is really important for me to have this level of security on my application. I tryed the IIS security options but it seems like the "everyone" user overrrides the selected user  "username". Any help will be really appreciated.
Thanks,
JCSTECHY

0
Comment
Question by:jsctechy
12 Comments
 
LVL 6

Expert Comment

by:rockymagee
ID: 16337152
Try going into Windows Explorer .... locate the folder ..... right click ..... choose properties ..... set up the security/sharing there.
0
 
LVL 4

Expert Comment

by:kamichie
ID: 16337215
I'm assuming this is a web application? What I would do is setup IIS to use a specific user to access that particular webpage (ie not IIS_USER). Then I would edit the permission's of that folder to only allow that user to view it, and of course yourself. I use this same setup with a password reset page I created, not to stop users from seing the files, but becasue I want users to be able to reset passwords without having the appropraite permissions. If you give me a little more detail on your application, I can post more specific insturctions.
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 16337511
You may have to go into advanced folder option of properties and thell the folder to stop inheriting the parent groups in order to restrict the "everyone" access.

However it is important to note that any more specific settings apply.

So if "everyone" has read permissions and "bob" has "read" and "write" permissions, then when bob logs in he gets the bob permissions.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 25

Expert Comment

by:dgrafx
ID: 16342596
jstechy
You need to inform these guys that this is a ColdFusion application.

What he/she is trying to do is prevent website visitors who are not logged in (nor authorized I imagine) in his/her web application from "guessing" the path to his/her files and accessing/downloading them.
I suggested that he/she put the folder outside the website and pull the file (for authorized users) via cfdirectory & cfcontent.
Or that if he had a separate folder for his/her files he/she can right-click on it / select properties / checking hidden (if on local windows machine) or remove read, write, execute permissions (if remote using ftp client)

I believe this comes down to two things:
1) It seems that all his/her files are in one directory (for ex., the pdf's or doc's for download are mixed in with index.cfm and everything else)
I tried to explain that a separate folder is needed in order to protect it, but I don't believe this was understood.
2) The disbelief that browsers cannot read files from a hidden directory.
He/She may have come to see this if experimented, but considered it to Not be feasable because of problem #1.

I hope you all can explain this better than I.
0
 
LVL 1

Author Comment

by:jsctechy
ID: 16343231
dgrafx i don't think you quite understand this issue was it was first adress.
>>1) It seems that all his/her files are in one directory (for ex., the pdf's or doc's for download are mixed in with index.cfm and everything else)
no they are not the cfm's are sitting on C:\Inetpub\wwwroot and the pdf's and doc's and other documents are in a subfolder in that directory C:\Inetpub\wwwroot\Deals_01\
0
 
LVL 1

Author Comment

by:jsctechy
ID: 16343293
and in regards this solution it does not work because it also hidde the file on my application.
>>2) The disbelief that browsers cannot read files from a hidden directory.
He/She may have come to see this if experimented, but considered it to Not be feasable because of problem #1.
0
 
LVL 25

Expert Comment

by:dgrafx
ID: 16343452
OK
Then you are all set to do the rest of the instructions!
The problem understanding, I believe, arose when I used [protectedfolder] instead of deals_01.
Some of the comments you made seemed to indicate that your website root was the deals_01 folder.
So now you see that it will hide files - good.
The next step is to follow ALL the instructions - not just some of them.
This is how developers do it, and I'm sure you are very interested in learning.
When I said you need to create a folder that holds ONLY the files you are protecting, this means that your file
(let's call it downloads.cfm) CANNOT be in that directory - it needs to be in a location that the browser can access.
And to protect the file downloads.cfm from unauthorized access - you then use ColdFusion to set your protection logic.
(THESE ARE 2 SEPARATE ISSUES - PDF OR DOC PROTECTION & COLDFUSION PAGE PROTECTION)
For ex., (a real simple one) - at the top of downloads.cfm you might have:
<cfif Not isDefined("session.userid")>
locate to a login page
<cfabort>
</cfif>
or
<cfif Not session.admin>
locate to a login page
<cfabort>
</cfif>
Whatever your application logic dictates
0
 
LVL 1

Author Comment

by:jsctechy
ID: 16384498
let's recap the whole issue i have evrything in the following forlder  C:\Inetpub\wwwroot inside this folder there is another one called Deals_01 where those documents are sitting. By your suggestion you want me to create a different folder outside  C:\Inetpub\wwwroot toplace the files i want to secure instead something like this C:\Deals_01 then you want me to create another page called downloads.cfm and have the code lok up the folde is that right? then what?
0
 
LVL 25

Expert Comment

by:dgrafx
ID: 16385737
Yes thats right.
Place your downloads file in your website normally.
It doesn't Have to be "downloads.cfm" - it can be the file you're currently using.
I just meant the page that shows users the list of files.

like this would be downloads.cfm:
<cfdirectory action="list" directory="C:\Deal_01\" name="files">
<cfoutput query="files">
     <a href="getfile.cfm?filename=#name#">#name#</a><br>
</cfoutput>

Then here is getfile.cfm :
<cfheader name="content-disposition" value="inline; filename=#filename#">                        
<cfcontent type="application/unknown" file="C:\Deal_01\#filename#" deletefile="no">          

And voila - your files are secure!
Almost ...
So how do you secure unauthorized users from accessing downloads.cfm you ask?
What ever var you use to say if a user is logged in or not.
Let's say you have a var named "session.isLoggedIn" that can be either True or False.
At the top of downloads.cfm put code like this:
<cfif Not session.isLoggedIn>
<cflocation url="someplace else">
<cfabort>
</cfif>
Now remember - you do need to set a value for session.isLoggedIn - It's not a magic CF var that determines if a user is logged in.
Here is a real simple example - remembering that building a quality app is a lot of work and requires years to become proficient (even though ColdFusion allows beginners to do a lot of stuff).
Lets say on your Application.cfm file put
<cfif Not isDefined("session.isLoggedIn")>
<cflock scope="session" timeout="15">
<cfset session.isLoggedIn=False>
</cflock>
</cfif>

Now on your login action page where you query the db to see if this users credentials are valid
And if they are valid (in other words are logged in)
<cflock scope="session" timeout="15">
<cfset session.isLoggedIn=True>
</cflock>


Good Luck ...
0
 
LVL 1

Author Comment

by:jsctechy
ID: 16480643
hey i know is abit late onthis question but i was working on something else, but finally get back to finish this. I have the following question:
in here how can i populate the names of the files giving that they are no seating anymore in ( <a href="http:/Deal_01/#name#">#name#</a><br />)

<cfdirectory action="list" name="files" directory="C:\Deal_01">
              <!--- output the query results --->
              <cfoutput query="files">
                <div align="left"><a href="deletefile.cfm?filename=#name#"
       onclick="return confirm('Are you sure you wish to delete this file?')"
  ><img src="Icons/icon_trashcan.gif"
             width="12" height="12" border="0" alt="Delete File"
      />             </a> <a href="http:/Deal_01/#name#">#name#</a><br />
0
 
LVL 1

Author Comment

by:jsctechy
ID: 16480749
so i guess thequestion is basically once is stored in that C drive folder how can i get to open after i click?
0
 
LVL 25

Accepted Solution

by:
dgrafx earned 2000 total points
ID: 16481812
This is answered above - look for the example of getfile.cfm
<a href="deletefile.cfm?filename=#name#">#name#</a>

also please finish up the related question in the coldfusion forum
http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/Q_21786662.html
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
The viewer will learn how to dynamically set the form action using jQuery.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question