?
Solved

How to Prevent direct access of PDF or xls or doc files in IIS 6.0

Posted on 2014-01-02
3
Medium Priority
?
311 Views
Last Modified: 2016-05-17
We have got a site (eg abc.com) that is built in classic ASP and hosted on IIS 6.0. We have got a content folder in IIS 6.0, which consists of static files like PDF or XLS. We came to know recently that in various search engines, direct links of our website (www.abc.com/content/xyz.PDF) to PDF/xls are getting displayed in the search results and any user can access those files directly. As these files should be accessible to only logged in users, what is the way of preventing the anonymous users from accessing those files directly. We are using cookie and database for authenticating a valid user. The actions we have taken so far are:-

1) Included robots.txt in our website and through various webmaster tools, prevented the listing of direct links in the search results but we don’t think it is the optimal solution.

2) In our website there were various functionalities, through which the links to direct access of PDF’s were used to show it to the user. That we have stopped by not showing the direct URL path to the user.

Questions: - As we are using IIS6.0 and classic ASP, is there any way to implement anything at IIS level to prevent direct access of PDF/XLS files. Like, if the user types ‘www.abc.com/temp/xyz.PDF’ or the url consisting of .pdf/.xls should be intercepted by our asp or any other page first for the authentication(to check the user is logged in or not) and based on that it should allow to open.
0
Comment
Question by:Ckalra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Scott Fell,  EE MVE earned 2000 total points
ID: 39751467
The only way I know of that is safe is to store the files outside of the public folder.  

If your site is on c:\inetpub\mysite.com, I would store my files on c:\secretfiles\

Then you would need to give the iusr account permissions for that folder.  When somebody requests mysite.com/password_protected/file.pdf you will use file system object to grab the file from c:\secretfiles\file.pdf and send it to the browser or temporary folder in the public site and possibly with a dynamic file name that changes each time like 201401021238.pdf.

If you have http://www.aspupload.com/ installed you can do this with secure file downloading http://www.aspupload.com/manual_misc.html
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question