• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

How to stop website viewers from browsing to files on server?? (IIS)

I have a member folder in my root directory where things like pictures will be held.  I want to ensure that no one can browse to those files.  
I have disabled directory browsing, but it is easy to guess a file name...  or even use google for that matter.  
How can I make it to where users cannot browse to (ex: domain.com/members/1.jpg)  BUT my PHP scripts can still access them?
Thanks
0
clcinc
Asked:
clcinc
  • 9
  • 9
  • 3
1 Solution
 
askurat1Commented:
You can do this by using your .htaccess or web.config file. You can deny access to everyone except you server.
0
 
clcincAuthor Commented:
thank you that is very helpful. do you happen to know how?  or could you post a link?  i have been searching for hours.  
0
 
askurat1Commented:
That depend on what you want. You can have them redirected to you home folder or you can just deny them all together. your choice.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
askurat1Commented:
This give you a pretty good list of options: http://www.htpasswdgenerator.com/apache/htaccess.html
0
 
clcincAuthor Commented:
sorry, i guess i cant wrap my head around these .htaccess files.  would you mind writing a code for me?  pretty please with sugar on top?
0
 
askurat1Commented:
Once again that depends on what you want. I need to know what you don't want people to be able to see?
0
 
clcincAuthor Commented:
sorry, i missed the first post completely.  when a member views clcinc.org/members (or any of it's contents) I'd like them to be redirected to clcinc.org.  
I just don't want anyone in that one  folder.  Thanks
0
 
askurat1Commented:
Try:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^clcinc.org$ [OR]
RewriteCond %{HTTP_HOST} ^www.clcinc.org$
RewriteRule ^members$ "http\:\/\/www\.clcinc\.org\/" [R=301,L]

Open in new window

0
 
clcincAuthor Commented:
sorry askurat... how would i change this if the members folder is in this location: clcinc.org/social/members?
Also, does the .htaccess go in the root folder?
thank you so much  
0
 
askurat1Commented:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^clcinc.org$ [OR]
RewriteCond %{HTTP_HOST} ^www.clcinc.org$
RewriteRule ^social\/members$ "http\:\/\/www\.clcinc\.org\/" [R=301,L]

Open in new window


Yes it goes in the root folder.
0
 
clcincAuthor Commented:
doesn't seem to work.  Should the changes be immediate?  
0
 
askurat1Commented:
yes are you typing in the correct directory?
0
 
clcincAuthor Commented:
0
 
askurat1Commented:
Well it seems to be redirecting to a .php page.
0
 
clcincAuthor Commented:
not for me?  I tried it on two different connections.  (I was on the same one as my server.)
then I tried it in two different browsers, after clearing cookies.  It takes me straight to the image.
0
 
askurat1Commented:
try this:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/ [nc]
RewriteRule .*.(gif|jpg|png)$ http://www.yourdomain.com/ [nc]

Open in new window

0
 
pwindellCommented:
Just change the permissions on the Folder.

Remove inheritence on that folder and remove every user and group from the NTFS Permissions except the Administrators Group and whatever Groups or Users are supposed to access them.

Done,...simple,...solved.  

Quit wasting your time fooling around will all the PHP, HTTP, "config files" and other stuff.
0
 
clcincAuthor Commented:
ok fellas... I am still having issues here.  I tried both of the solutions, but had problems.  askurat, the .htaccess did not work...

pwindell... I removed permissions using the properties tab on the directory.  Is that what you meant?  Also, it denied access.  But then, even my scripts couldnt read the file for users' profile.  so it seems to be blocking ALL access when I do it that way...?
0
 
pwindellCommented:
pwindell... I removed permissions using the properties tab on the directory.  Is that what you meant?  Also, it denied access.  But then, even my scripts couldnt read the file for users' profile.  so it seems to be blocking ALL access when I do it that way...?

Denied Access,...that is what you said you wanted.

Correct,  the Scripts would fail,...the scripts don't run under the User's Account,..they run under whatever account applies to the situation you designed them under.  For example ASP and PHP run under the IIS Anonymous Account (IUSR_<servername>),...so you have to give that account permissions that it needs.  

The danger there is that depending on the design of the Site the Users using the Site may be operating under the same IUSR_<servername> Account rather than their own.  If they access Resources "programatically" based on Code of the ASP or PHP then you are [possibly] kinda screwed with the NTFS Permission and created a "no-win" situation for yourself.  You then would have to design an authentication system programatically within the code of the ASP or PHP and maintain a User Accounts Database within the Site and then build Access Controls based on that,...also in the code of the Site.

Bottom line,...life is not so simple after all :-)

Anyway,...I would start out by also adding the IUSR_<servername> Account (and possibly also the IWAM_<servername> Account) to the Permissions of the Folders to get the ASP or PHP Scripts working again and see where things are after that,...don't try to solve problems that you haven't verified that you actually have yet.
0
 
clcincAuthor Commented:
Thanks for the response.  I removed all users except the IUSR account.  I can still browse to the images though.  So I guess I'll seek alternatives.  
0
 
pwindellCommented:
Yep, I was afraid of that.
Well,...building "Access Control" within the structure of a Web Application is a huge undertaking.

The simplest thing to do is

1. Turn on "Directory Browsing" to the specific Folder(s) in question
2. Do not have a Default Document for that folder (index.htm, default.htm, you get the point)
3. Let let the PHP or ASP send the user to the Folder without a File name.  For example:
http:www.site.com/folder  not  http:www.site.com/folder/index.php

Now the NTFS Permissions can "do their job" correctly.  Give Permissions to the Administrators Group, the IUSR_<servername>, IWAM_<servername>, and any custom Group(s) for any users you may have created for this purpose.  Set the permisssions however you think you need but make the Administrators Group Full Control and also the Owner.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 9
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now