Stop IIS from serving out XML files

I have this one domain on my server that uses XML files for lots of things. I don't want a user to be able to type in the URL of one of those XML files and view the content. How can I prevent IIS from serving files with .XML extension on them?
LVL 3
schworakAsked:
Who is Participating?
 
Dave_DietzConnect With a Mentor Commented:
You can download a copy of 404.dll from my FTP site at ftp://ftp.cyberdietz.com/tools.

Put the file in the c:\windows\system32\inetsrv directory on your web server.

In the properties of the web site go to the Home Directory tab

Click on Configuration

Add a new mapping - set the extension to xml and the path for the handler to c:\windows\system32\inetsrv\404.dll (you can browse to it...)

Save the settings and try browsing to an XML file...

Dave Dietz
0
 
DireOrbAntCommented:
Do they use the XML files from a browser? Like loading it in Javascript and such or just server-side?
Do you want to block it for ALL sites? If so, pop IIS, right-click on your computer name, properties, MIME Types button, scroll to xml and delete the entry.
IIS won't server file extensions not in that list...

If other sites on the same box require xml to be pulled, then I would recommend renaming your .xml to say, .xml2 and IIS won't server them.
0
 
schworakAuthor Commented:
Some sites use XML to serve out to the users others do not. This one uses XML only on the server side. It is a commercial application we bought and can't modify bits of because they are DLLs. Someone had the stupid idea that the xml files had to be named xml and be in the root application folder which would give away our configuration if anyone browsed to it in the url. Nice eh? So much for a secure site.

So, without stopping all sites on this server from pushing out the xml and without renaming the xml files, can you think of any way to stop IIS from serving up the XML files?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
DireOrbAntCommented:
0
 
schworakAuthor Commented:
It looks like URLScan will stop the XML files from being served out, but it does it for all web sites on the server. It doesn't seem to stop them from only one web site.

I am going to try changing the security settings on the key files that I want to prevent access to. I hope that doesn't break the application that actually uses them yet stops web browsers from getting to them.
0
 
Dave_DietzCommented:
Create a script mapping for XML on the specific site and point it to 404.dll if you have it or something non-existant if you don't (blah.dll).
This way if someone calls the XML file directly IIS will try to process it with the mapped script handler and the XML will not be sent directly to the client.

Anything that calls the XML internally (not via an HTTP call) will continue to work fine.

Dave Dietz
0
 
schworakAuthor Commented:
Dave, that sounds like a great idea. Can you provide a sample or guidance on how to set up the script mapping?
0
 
DireOrbAntCommented:
That's a good way to do it :)
Make sure you don't map it to a dll that might open up a security breach if xml can be uploaded or created through scripts.
0
 
schworakAuthor Commented:
What exactly is in the 404.dll?

Where did it come from? Is it something you wrote?

I ask because we may not end up using this at work if we don't know what it does due to possible security issues.

But testing it from home it works great! I even tried pointing at another DLL and got good results. I pointed to the same DLL that is used for ASP pages.
0
 
schworakAuthor Commented:
Correction. I used the DLL that works on .SOAP not .ASP pages and got the same results as using the 404.dll

The ASP version still served the XML but as plane web page text. Don't want that!
0
 
Dave_DietzCommented:
404.dll was distributed as part of the IIS Lockdown Toolkit from Microsoft.
(You can see the DLL information in Propertires->Version)

As far as I am aware all it does is generate a 404 response code when accessed.

Dave Dietz

 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.