How to prevent direct access to the files on website?

We have an internal website (.Net with SQL as backend) which requires users to login before they can enter and use the site. One of the features is that it allows to download files once the user is logged in. I noticed if I know the full path of the URL to a specific file such as I can directly download the file without having to there a way to prevent this behaviour?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sounds like what you would want to do is move your documents out of the root website folder into an unreachable folder (by web) and create a script (language pending on your setup) that would be able to access the files and deliver them to the user if they meet your requirements. Im not familar with ASP but believe there are already scripts like this for PHP. Maybe someone familar with ASP can chime in if they know of one.
Could you create an application pool that uses a low level user on the IIS server? Then only grant access to the download folder to that low level user. That way, they can only get access to the folder when they have been succesffully authenticated by the website?

That may screw up your forms authentication though. Just a thought.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I've attached code in classic ASP that use ADO stream to stream file to user. With this code, files can be place in any folder under IIS then uncheck read/write/directory browsing for that folder. In ASP.NET same concept can be applied only difference is you might need to apply folder permission to ASPNET worker process account.
Response.Buffer = True
Server.ScriptTimeout = 30000 
strFileName = Request("FileName")
'perform access control here, if user not logged in redirect them elsewhere
Response.ContentType = "application/x-unknown"
strFilePath = Server.Mappath("FilesFolder") & "\" & strFileName
Response.AddHeader "Content-Disposition", "attachment; filename=" & strFileName
Set adoStream = CreateObject("ADODB.Stream") 
intChunkSize = 2048 
adoStream.Type = 1 
intFileSize = adoStream.Size 
Response.AddHeader "Content-Length", intFileSize 
For i = 1 To intFileSize \ intChunkSize 
    If Not Response.IsClientConnected Then Exit For 
    Response.BinaryWrite adoStream.Read(intChunkSize) 
If intFileSize Mod intChunkSize > 0 Then 
    If Response.IsClientConnected Then
        Response.BinaryWrite adoStream.Read(intFileSize Mod intChunkSize) 
    End If 
End If 
Set adoStream = Nothing 

Open in new window

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Rainbow002Author Commented:
Thanks guys for responding but seems like this is something for developers who built the application to figure out...?
I was wondering if there was any settings on the folder permissions or IIS that can be turned on/off to prevent direct access to the files without authentication from user?
Please advise!
1. After the users log in, what security context are they logging in under? Look at the security configuration in the virtual directory in the IIS console to determine this.
2. If they are running under windows authentication, then simply restrict the download folder on the IIS server to only allow their windows accounts access to the folder.
3. If they are not (and I suspect they are not since the app is using forms authentication), then you will probably need some help from the developers to set up the security on the download folder appropriately.
1. IUSR<<ComputerName>>
2. IWAM<<ComputerName>>
3. Network Service

1 and 2 are for asp code in IIS 6.0 and 3 point are for .net coded page.

Remove them you no one will be able to access these files/folder where you apply.

You can add or check FTP user must remain on that folder as you have to upload file's to folder

let me know if that resolves your issue


Rainbow002Author Commented:
Thanks guys! I figure I'd need developers input to go about this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.