Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 835
  • Last Modified:

How to lock down a directory in IIS

Hi,
If I have a site like this:
www.mysite.com/admin/stuff
and I want to stop anyone except a certain IP address from gaining access to that particular URL/path in IIS 7, how would I do that?
Specifically I'm trying to lock down ColdFusion Administrator url which is in the form
www.mysite.com/CFIDE/administrator/
Thanks!
Nacht
0
nachtmsk
Asked:
nachtmsk
1 Solution
 
SidFishesCommented:
even if you block access to that, it can still be an issue as cf can serve cfadmin files from it's install dir even if you have blocked the one in inetpub or where your virtual directory points.

http://www.petefreitag.com/item/750.cfm

what I do is copy  the entire cfide fold above the webroot (which makes it completely inaccessible) and then when I need to access the administrator i run a batch file with this line

xcopy c:\inetpub\administrator\*.* c:\inetpub\wwwroot\cfide\administrator\ /s

I can then load my cfadmin login page, do my maintenance and when done,

i run another batch file

rd c:\inetpub\wwwroot\cfide\administrator\ /s /q

you must remember to run this. You could always add it to a schedule task to run at midnight so if you do forget, the time it's available is short.

There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

My version of CF wasn't vulnerable to this latest cfadmin authentication exploit, but had it been, it wouldn't have mattered (and I could have patched at my leisure) as cfadmin was not available to be exploited.
0
 
_agx_Commented:
There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

+100
0
 
RickEpnetCommented:
Are you using IIS 7.5? If so it is very easy to block these folders. This option might even be in IIS 7.0
You can have these folders blocked via Request Filtering
CFIDE.../
administrator
componentutils
adminapi

Then have one web site that has no internet access and leave those open on that web site only.

Now if you server itself  gets compromised this method goes down the tubes but then again if your server is compromised you have more to worry about than you website getting hacked.
0
 
RickEpnetCommented:
Sorry forgot to say Agreed best practice just do not have those folders on the server.
0
 
nachtmskAuthor Commented:
Thanks everyone. I went with the moving of the directory out of the webroot. I'll probably just create and virtual directory (alias) whenever I need to modify anything. Seems the quickest route.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now