We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Stop IIS from serving out XML files

schworak
schworak asked
on
Medium Priority
1,306 Views
Last Modified: 2012-08-14
I have this one domain on my server that uses XML files for lots of things. I don't want a user to be able to type in the URL of one of those XML files and view the content. How can I prevent IIS from serving files with .XML extension on them?
Comment
Watch Question

Top Expert 2006

Commented:
Do they use the XML files from a browser? Like loading it in Javascript and such or just server-side?
Do you want to block it for ALL sites? If so, pop IIS, right-click on your computer name, properties, MIME Types button, scroll to xml and delete the entry.
IIS won't server file extensions not in that list...

If other sites on the same box require xml to be pulled, then I would recommend renaming your .xml to say, .xml2 and IIS won't server them.

Author

Commented:
Some sites use XML to serve out to the users others do not. This one uses XML only on the server side. It is a commercial application we bought and can't modify bits of because they are DLLs. Someone had the stupid idea that the xml files had to be named xml and be in the root application folder which would give away our configuration if anyone browsed to it in the url. Nice eh? So much for a secure site.

So, without stopping all sites on this server from pushing out the xml and without renaming the xml files, can you think of any way to stop IIS from serving up the XML files?
Top Expert 2006

Commented:

Author

Commented:
It looks like URLScan will stop the XML files from being served out, but it does it for all web sites on the server. It doesn't seem to stop them from only one web site.

I am going to try changing the security settings on the key files that I want to prevent access to. I hope that doesn't break the application that actually uses them yet stops web browsers from getting to them.
Top Expert 2007

Commented:
Create a script mapping for XML on the specific site and point it to 404.dll if you have it or something non-existant if you don't (blah.dll).
This way if someone calls the XML file directly IIS will try to process it with the mapped script handler and the XML will not be sent directly to the client.

Anything that calls the XML internally (not via an HTTP call) will continue to work fine.

Dave Dietz

Author

Commented:
Dave, that sounds like a great idea. Can you provide a sample or guidance on how to set up the script mapping?
Top Expert 2006

Commented:
That's a good way to do it :)
Make sure you don't map it to a dll that might open up a security breach if xml can be uploaded or created through scripts.
Top Expert 2007
Commented:
You can download a copy of 404.dll from my FTP site at ftp://ftp.cyberdietz.com/tools.

Put the file in the c:\windows\system32\inetsrv directory on your web server.

In the properties of the web site go to the Home Directory tab

Click on Configuration

Add a new mapping - set the extension to xml and the path for the handler to c:\windows\system32\inetsrv\404.dll (you can browse to it...)

Save the settings and try browsing to an XML file...

Dave Dietz

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
What exactly is in the 404.dll?

Where did it come from? Is it something you wrote?

I ask because we may not end up using this at work if we don't know what it does due to possible security issues.

But testing it from home it works great! I even tried pointing at another DLL and got good results. I pointed to the same DLL that is used for ASP pages.

Author

Commented:
Correction. I used the DLL that works on .SOAP not .ASP pages and got the same results as using the 404.dll

The ASP version still served the XML but as plane web page text. Don't want that!
Top Expert 2007

Commented:
404.dll was distributed as part of the IIS Lockdown Toolkit from Microsoft.
(You can see the DLL information in Propertires->Version)

As far as I am aware all it does is generate a 404 response code when accessed.

Dave Dietz

 
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.