Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to lock down a directory in IIS

Posted on 2013-02-05
5
803 Views
Last Modified: 2013-02-06
Hi,
If I have a site like this:
www.mysite.com/admin/stuff
and I want to stop anyone except a certain IP address from gaining access to that particular URL/path in IIS 7, how would I do that?
Specifically I'm trying to lock down ColdFusion Administrator url which is in the form
www.mysite.com/CFIDE/administrator/
Thanks!
Nacht
0
Comment
Question by:nachtmsk
5 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 38856538
even if you block access to that, it can still be an issue as cf can serve cfadmin files from it's install dir even if you have blocked the one in inetpub or where your virtual directory points.

http://www.petefreitag.com/item/750.cfm

what I do is copy  the entire cfide fold above the webroot (which makes it completely inaccessible) and then when I need to access the administrator i run a batch file with this line

xcopy c:\inetpub\administrator\*.* c:\inetpub\wwwroot\cfide\administrator\ /s

I can then load my cfadmin login page, do my maintenance and when done,

i run another batch file

rd c:\inetpub\wwwroot\cfide\administrator\ /s /q

you must remember to run this. You could always add it to a schedule task to run at midnight so if you do forget, the time it's available is short.

There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

My version of CF wasn't vulnerable to this latest cfadmin authentication exploit, but had it been, it wouldn't have mattered (and I could have patched at my leisure) as cfadmin was not available to be exploited.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 38856565
There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

+100
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857207
Are you using IIS 7.5? If so it is very easy to block these folders. This option might even be in IIS 7.0
You can have these folders blocked via Request Filtering
CFIDE.../
administrator
componentutils
adminapi

Then have one web site that has no internet access and leave those open on that web site only.

Now if you server itself  gets compromised this method goes down the tubes but then again if your server is compromised you have more to worry about than you website getting hacked.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857215
Sorry forgot to say Agreed best practice just do not have those folders on the server.
0
 

Author Closing Comment

by:nachtmsk
ID: 38859366
Thanks everyone. I went with the moving of the directory out of the webroot. I'll probably just create and virtual directory (alias) whenever I need to modify anything. Seems the quickest route.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question