We help IT Professionals succeed at work.

Secure the C:\Inetpub\wwwroot

jsctechy asked
Medium Priority
Last Modified: 2008-02-01
Hi there,
is there a way that i can secure this folder to prevent users that may know the path? what i want to achieve is that users are only allow to see it the files through the application but not any other way. is really important for me to have this level of security on my application. I tryed the IIS security options but it seems like the "everyone" user overrrides the selected user  "username". Any help will be really appreciated.

Watch Question

Try going into Windows Explorer .... locate the folder ..... right click ..... choose properties ..... set up the security/sharing there.

I'm assuming this is a web application? What I would do is setup IIS to use a specific user to access that particular webpage (ie not IIS_USER). Then I would edit the permission's of that folder to only allow that user to view it, and of course yourself. I use this same setup with a password reset page I created, not to stop users from seing the files, but becasue I want users to be able to reset passwords without having the appropraite permissions. If you give me a little more detail on your application, I can post more specific insturctions.

You may have to go into advanced folder option of properties and thell the folder to stop inheriting the parent groups in order to restrict the "everyone" access.

However it is important to note that any more specific settings apply.

So if "everyone" has read permissions and "bob" has "read" and "write" permissions, then when bob logs in he gets the bob permissions.

You need to inform these guys that this is a ColdFusion application.

What he/she is trying to do is prevent website visitors who are not logged in (nor authorized I imagine) in his/her web application from "guessing" the path to his/her files and accessing/downloading them.
I suggested that he/she put the folder outside the website and pull the file (for authorized users) via cfdirectory & cfcontent.
Or that if he had a separate folder for his/her files he/she can right-click on it / select properties / checking hidden (if on local windows machine) or remove read, write, execute permissions (if remote using ftp client)

I believe this comes down to two things:
1) It seems that all his/her files are in one directory (for ex., the pdf's or doc's for download are mixed in with index.cfm and everything else)
I tried to explain that a separate folder is needed in order to protect it, but I don't believe this was understood.
2) The disbelief that browsers cannot read files from a hidden directory.
He/She may have come to see this if experimented, but considered it to Not be feasable because of problem #1.

I hope you all can explain this better than I.
jsctechyInfrastructure Team Lead


dgrafx i don't think you quite understand this issue was it was first adress.
>>1) It seems that all his/her files are in one directory (for ex., the pdf's or doc's for download are mixed in with index.cfm and everything else)
no they are not the cfm's are sitting on C:\Inetpub\wwwroot and the pdf's and doc's and other documents are in a subfolder in that directory C:\Inetpub\wwwroot\Deals_01\
jsctechyInfrastructure Team Lead


and in regards this solution it does not work because it also hidde the file on my application.
>>2) The disbelief that browsers cannot read files from a hidden directory.
He/She may have come to see this if experimented, but considered it to Not be feasable because of problem #1.

Then you are all set to do the rest of the instructions!
The problem understanding, I believe, arose when I used [protectedfolder] instead of deals_01.
Some of the comments you made seemed to indicate that your website root was the deals_01 folder.
So now you see that it will hide files - good.
The next step is to follow ALL the instructions - not just some of them.
This is how developers do it, and I'm sure you are very interested in learning.
When I said you need to create a folder that holds ONLY the files you are protecting, this means that your file
(let's call it downloads.cfm) CANNOT be in that directory - it needs to be in a location that the browser can access.
And to protect the file downloads.cfm from unauthorized access - you then use ColdFusion to set your protection logic.
For ex., (a real simple one) - at the top of downloads.cfm you might have:
<cfif Not isDefined("session.userid")>
locate to a login page
<cfif Not session.admin>
locate to a login page
Whatever your application logic dictates
jsctechyInfrastructure Team Lead


let's recap the whole issue i have evrything in the following forlder  C:\Inetpub\wwwroot inside this folder there is another one called Deals_01 where those documents are sitting. By your suggestion you want me to create a different folder outside  C:\Inetpub\wwwroot toplace the files i want to secure instead something like this C:\Deals_01 then you want me to create another page called downloads.cfm and have the code lok up the folde is that right? then what?

Yes thats right.
Place your downloads file in your website normally.
It doesn't Have to be "downloads.cfm" - it can be the file you're currently using.
I just meant the page that shows users the list of files.

like this would be downloads.cfm:
<cfdirectory action="list" directory="C:\Deal_01\" name="files">
<cfoutput query="files">
     <a href="getfile.cfm?filename=#name#">#name#</a><br>

Then here is getfile.cfm :
<cfheader name="content-disposition" value="inline; filename=#filename#">                        
<cfcontent type="application/unknown" file="C:\Deal_01\#filename#" deletefile="no">          

And voila - your files are secure!
Almost ...
So how do you secure unauthorized users from accessing downloads.cfm you ask?
What ever var you use to say if a user is logged in or not.
Let's say you have a var named "session.isLoggedIn" that can be either True or False.
At the top of downloads.cfm put code like this:
<cfif Not session.isLoggedIn>
<cflocation url="someplace else">
Now remember - you do need to set a value for session.isLoggedIn - It's not a magic CF var that determines if a user is logged in.
Here is a real simple example - remembering that building a quality app is a lot of work and requires years to become proficient (even though ColdFusion allows beginners to do a lot of stuff).
Lets say on your Application.cfm file put
<cfif Not isDefined("session.isLoggedIn")>
<cflock scope="session" timeout="15">
<cfset session.isLoggedIn=False>

Now on your login action page where you query the db to see if this users credentials are valid
And if they are valid (in other words are logged in)
<cflock scope="session" timeout="15">
<cfset session.isLoggedIn=True>

Good Luck ...
jsctechyInfrastructure Team Lead


hey i know is abit late onthis question but i was working on something else, but finally get back to finish this. I have the following question:
in here how can i populate the names of the files giving that they are no seating anymore in ( <a href="http:/Deal_01/#name#">#name#</a><br />)

<cfdirectory action="list" name="files" directory="C:\Deal_01">
              <!--- output the query results --->
              <cfoutput query="files">
                <div align="left"><a href="deletefile.cfm?filename=#name#"
       onclick="return confirm('Are you sure you wish to delete this file?')"
  ><img src="Icons/icon_trashcan.gif"
             width="12" height="12" border="0" alt="Delete File"
      />             </a> <a href="http:/Deal_01/#name#">#name#</a><br />
jsctechyInfrastructure Team Lead


so i guess thequestion is basically once is stored in that C drive folder how can i get to open after i click?
This is answered above - look for the example of getfile.cfm
<a href="deletefile.cfm?filename=#name#">#name#</a>

also please finish up the related question in the coldfusion forum

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.