Solved

Stop IIS from serving out XML files

Posted on 2006-11-03
11
1,227 Views
Last Modified: 2012-08-14
I have this one domain on my server that uses XML files for lots of things. I don't want a user to be able to type in the URL of one of those XML files and view the content. How can I prevent IIS from serving files with .XML extension on them?
0
Comment
Question by:schworak
  • 5
  • 3
  • 3
11 Comments
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17867978
Do they use the XML files from a browser? Like loading it in Javascript and such or just server-side?
Do you want to block it for ALL sites? If so, pop IIS, right-click on your computer name, properties, MIME Types button, scroll to xml and delete the entry.
IIS won't server file extensions not in that list...

If other sites on the same box require xml to be pulled, then I would recommend renaming your .xml to say, .xml2 and IIS won't server them.
0
 
LVL 3

Author Comment

by:schworak
ID: 17869702
Some sites use XML to serve out to the users others do not. This one uses XML only on the server side. It is a commercial application we bought and can't modify bits of because they are DLLs. Someone had the stupid idea that the xml files had to be named xml and be in the root application folder which would give away our configuration if anyone browsed to it in the url. Nice eh? So much for a secure site.

So, without stopping all sites on this server from pushing out the xml and without renaming the xml files, can you think of any way to stop IIS from serving up the XML files?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17871091
0
 
LVL 3

Author Comment

by:schworak
ID: 17871912
It looks like URLScan will stop the XML files from being served out, but it does it for all web sites on the server. It doesn't seem to stop them from only one web site.

I am going to try changing the security settings on the key files that I want to prevent access to. I hope that doesn't break the application that actually uses them yet stops web browsers from getting to them.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17872050
Create a script mapping for XML on the specific site and point it to 404.dll if you have it or something non-existant if you don't (blah.dll).
This way if someone calls the XML file directly IIS will try to process it with the mapped script handler and the XML will not be sent directly to the client.

Anything that calls the XML internally (not via an HTTP call) will continue to work fine.

Dave Dietz
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 3

Author Comment

by:schworak
ID: 17873773
Dave, that sounds like a great idea. Can you provide a sample or guidance on how to set up the script mapping?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17874718
That's a good way to do it :)
Make sure you don't map it to a dll that might open up a security breach if xml can be uploaded or created through scripts.
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
ID: 17875064
You can download a copy of 404.dll from my FTP site at ftp://ftp.cyberdietz.com/tools.

Put the file in the c:\windows\system32\inetsrv directory on your web server.

In the properties of the web site go to the Home Directory tab

Click on Configuration

Add a new mapping - set the extension to xml and the path for the handler to c:\windows\system32\inetsrv\404.dll (you can browse to it...)

Save the settings and try browsing to an XML file...

Dave Dietz
0
 
LVL 3

Author Comment

by:schworak
ID: 17876647
What exactly is in the 404.dll?

Where did it come from? Is it something you wrote?

I ask because we may not end up using this at work if we don't know what it does due to possible security issues.

But testing it from home it works great! I even tried pointing at another DLL and got good results. I pointed to the same DLL that is used for ASP pages.
0
 
LVL 3

Author Comment

by:schworak
ID: 17876682
Correction. I used the DLL that works on .SOAP not .ASP pages and got the same results as using the 404.dll

The ASP version still served the XML but as plane web page text. Don't want that!
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17876871
404.dll was distributed as part of the IIS Lockdown Toolkit from Microsoft.
(You can see the DLL information in Propertires->Version)

As far as I am aware all it does is generate a 404 response code when accessed.

Dave Dietz

 
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now