?
Solved

Stop IIS from serving out XML files

Posted on 2006-11-03
11
Medium Priority
?
1,257 Views
Last Modified: 2012-08-14
I have this one domain on my server that uses XML files for lots of things. I don't want a user to be able to type in the URL of one of those XML files and view the content. How can I prevent IIS from serving files with .XML extension on them?
0
Comment
Question by:schworak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17867978
Do they use the XML files from a browser? Like loading it in Javascript and such or just server-side?
Do you want to block it for ALL sites? If so, pop IIS, right-click on your computer name, properties, MIME Types button, scroll to xml and delete the entry.
IIS won't server file extensions not in that list...

If other sites on the same box require xml to be pulled, then I would recommend renaming your .xml to say, .xml2 and IIS won't server them.
0
 
LVL 3

Author Comment

by:schworak
ID: 17869702
Some sites use XML to serve out to the users others do not. This one uses XML only on the server side. It is a commercial application we bought and can't modify bits of because they are DLLs. Someone had the stupid idea that the xml files had to be named xml and be in the root application folder which would give away our configuration if anyone browsed to it in the url. Nice eh? So much for a secure site.

So, without stopping all sites on this server from pushing out the xml and without renaming the xml files, can you think of any way to stop IIS from serving up the XML files?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17871091
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 3

Author Comment

by:schworak
ID: 17871912
It looks like URLScan will stop the XML files from being served out, but it does it for all web sites on the server. It doesn't seem to stop them from only one web site.

I am going to try changing the security settings on the key files that I want to prevent access to. I hope that doesn't break the application that actually uses them yet stops web browsers from getting to them.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17872050
Create a script mapping for XML on the specific site and point it to 404.dll if you have it or something non-existant if you don't (blah.dll).
This way if someone calls the XML file directly IIS will try to process it with the mapped script handler and the XML will not be sent directly to the client.

Anything that calls the XML internally (not via an HTTP call) will continue to work fine.

Dave Dietz
0
 
LVL 3

Author Comment

by:schworak
ID: 17873773
Dave, that sounds like a great idea. Can you provide a sample or guidance on how to set up the script mapping?
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 17874718
That's a good way to do it :)
Make sure you don't map it to a dll that might open up a security breach if xml can be uploaded or created through scripts.
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1000 total points
ID: 17875064
You can download a copy of 404.dll from my FTP site at ftp://ftp.cyberdietz.com/tools.

Put the file in the c:\windows\system32\inetsrv directory on your web server.

In the properties of the web site go to the Home Directory tab

Click on Configuration

Add a new mapping - set the extension to xml and the path for the handler to c:\windows\system32\inetsrv\404.dll (you can browse to it...)

Save the settings and try browsing to an XML file...

Dave Dietz
0
 
LVL 3

Author Comment

by:schworak
ID: 17876647
What exactly is in the 404.dll?

Where did it come from? Is it something you wrote?

I ask because we may not end up using this at work if we don't know what it does due to possible security issues.

But testing it from home it works great! I even tried pointing at another DLL and got good results. I pointed to the same DLL that is used for ASP pages.
0
 
LVL 3

Author Comment

by:schworak
ID: 17876682
Correction. I used the DLL that works on .SOAP not .ASP pages and got the same results as using the 404.dll

The ASP version still served the XML but as plane web page text. Don't want that!
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17876871
404.dll was distributed as part of the IIS Lockdown Toolkit from Microsoft.
(You can see the DLL information in Propertires->Version)

As far as I am aware all it does is generate a 404 response code when accessed.

Dave Dietz

 
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question