How to prevent direct access to the files on website?

Posted on 2008-11-07
Last Modified: 2012-06-27
We have an internal website (.Net with SQL as backend) which requires users to login before they can enter and use the site. One of the features is that it allows to download files once the user is logged in. I noticed if I know the full path of the URL to a specific file such as I can directly download the file without having to there a way to prevent this behaviour?

Question by:Rainbow002
    LVL 1

    Assisted Solution

    Sounds like what you would want to do is move your documents out of the root website folder into an unreachable folder (by web) and create a script (language pending on your setup) that would be able to access the files and deliver them to the user if they meet your requirements. Im not familar with ASP but believe there are already scripts like this for PHP. Maybe someone familar with ASP can chime in if they know of one.
    LVL 3

    Accepted Solution

    Could you create an application pool that uses a low level user on the IIS server? Then only grant access to the download folder to that low level user. That way, they can only get access to the folder when they have been succesffully authenticated by the website?

    That may screw up your forms authentication though. Just a thought.

    Assisted Solution

    I've attached code in classic ASP that use ADO stream to stream file to user. With this code, files can be place in any folder under IIS then uncheck read/write/directory browsing for that folder. In ASP.NET same concept can be applied only difference is you might need to apply folder permission to ASPNET worker process account.
    Response.Buffer = True
    Server.ScriptTimeout = 30000 
    strFileName = Request("FileName")
    'perform access control here, if user not logged in redirect them elsewhere
    Response.ContentType = "application/x-unknown"
    strFilePath = Server.Mappath("FilesFolder") & "\" & strFileName
    Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
    Set adoStream = CreateObject("ADODB.Stream") 
    intChunkSize = 2048 
    adoStream.Type = 1 
    intFileSize = adoStream.Size 
    Response.AddHeader "Content-Length", intFileSize 
    For i = 1 To intFileSize \ intChunkSize 
        If Not Response.IsClientConnected Then Exit For 
        Response.BinaryWrite adoStream.Read(intChunkSize) 
    If intFileSize Mod intChunkSize > 0 Then 
        If Response.IsClientConnected Then
            Response.BinaryWrite adoStream.Read(intFileSize Mod intChunkSize) 
        End If 
    End If 
    Set adoStream = Nothing 

    Open in new window


    Author Comment

    Thanks guys for responding but seems like this is something for developers who built the application to figure out...?
    I was wondering if there was any settings on the folder permissions or IIS that can be turned on/off to prevent direct access to the files without authentication from user?
    Please advise!
    LVL 3

    Assisted Solution

    1. After the users log in, what security context are they logging in under? Look at the security configuration in the virtual directory in the IIS console to determine this.
    2. If they are running under windows authentication, then simply restrict the download folder on the IIS server to only allow their windows accounts access to the folder.
    3. If they are not (and I suspect they are not since the app is using forms authentication), then you will probably need some help from the developers to set up the security on the download folder appropriately.
    LVL 3

    Expert Comment

    1. IUSR<<ComputerName>>
    2. IWAM<<ComputerName>>
    3. Network Service

    1 and 2 are for asp code in IIS 6.0 and 3 point are for .net coded page.

    Remove them you no one will be able to access these files/folder where you apply.

    You can add or check FTP user must remain on that folder as you have to upload file's to folder

    let me know if that resolves your issue



    Author Comment

    Thanks guys! I figure I'd need developers input to go about this.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Suggested Solutions

    Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
    Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now