Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Stop IIS from serving out XML files

Posted on 2006-11-03
11
Medium Priority
?
1,263 Views
Last Modified: 2012-08-14
I have this one domain on my server that uses XML files for lots of things. I don't want a user to be able to type in the URL of one of those XML files and view the content. How can I prevent IIS from serving files with .XML extension on them?
0
Comment
Question by:schworak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17867978
Do they use the XML files from a browser? Like loading it in Javascript and such or just server-side?
Do you want to block it for ALL sites? If so, pop IIS, right-click on your computer name, properties, MIME Types button, scroll to xml and delete the entry.
IIS won't server file extensions not in that list...

If other sites on the same box require xml to be pulled, then I would recommend renaming your .xml to say, .xml2 and IIS won't server them.
0
 
LVL 3

Author Comment

by:schworak
ID: 17869702
Some sites use XML to serve out to the users others do not. This one uses XML only on the server side. It is a commercial application we bought and can't modify bits of because they are DLLs. Someone had the stupid idea that the xml files had to be named xml and be in the root application folder which would give away our configuration if anyone browsed to it in the url. Nice eh? So much for a secure site.

So, without stopping all sites on this server from pushing out the xml and without renaming the xml files, can you think of any way to stop IIS from serving up the XML files?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17871091
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 3

Author Comment

by:schworak
ID: 17871912
It looks like URLScan will stop the XML files from being served out, but it does it for all web sites on the server. It doesn't seem to stop them from only one web site.

I am going to try changing the security settings on the key files that I want to prevent access to. I hope that doesn't break the application that actually uses them yet stops web browsers from getting to them.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17872050
Create a script mapping for XML on the specific site and point it to 404.dll if you have it or something non-existant if you don't (blah.dll).
This way if someone calls the XML file directly IIS will try to process it with the mapped script handler and the XML will not be sent directly to the client.

Anything that calls the XML internally (not via an HTTP call) will continue to work fine.

Dave Dietz
0
 
LVL 3

Author Comment

by:schworak
ID: 17873773
Dave, that sounds like a great idea. Can you provide a sample or guidance on how to set up the script mapping?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17874718
That's a good way to do it :)
Make sure you don't map it to a dll that might open up a security breach if xml can be uploaded or created through scripts.
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1000 total points
ID: 17875064
You can download a copy of 404.dll from my FTP site at ftp://ftp.cyberdietz.com/tools.

Put the file in the c:\windows\system32\inetsrv directory on your web server.

In the properties of the web site go to the Home Directory tab

Click on Configuration

Add a new mapping - set the extension to xml and the path for the handler to c:\windows\system32\inetsrv\404.dll (you can browse to it...)

Save the settings and try browsing to an XML file...

Dave Dietz
0
 
LVL 3

Author Comment

by:schworak
ID: 17876647
What exactly is in the 404.dll?

Where did it come from? Is it something you wrote?

I ask because we may not end up using this at work if we don't know what it does due to possible security issues.

But testing it from home it works great! I even tried pointing at another DLL and got good results. I pointed to the same DLL that is used for ASP pages.
0
 
LVL 3

Author Comment

by:schworak
ID: 17876682
Correction. I used the DLL that works on .SOAP not .ASP pages and got the same results as using the 404.dll

The ASP version still served the XML but as plane web page text. Don't want that!
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17876871
404.dll was distributed as part of the IIS Lockdown Toolkit from Microsoft.
(You can see the DLL information in Propertires->Version)

As far as I am aware all it does is generate a 404 response code when accessed.

Dave Dietz

 
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question