Pau Lo
asked on
web.config.bak files concerns
we have a number of internal applications which rely on IIS for the web server. These are only internal servers but we have noticed the 3rd parties whose apps we use have within the web root some web.config12.bak type files. These do have hard coded DB and admin credentials within them so we would not want them exposed to any internal officers.
All servers are internal and not internet facing so the risk is limited to internal employees, and it is a small workforce with limited web server skills I would presume. The web root is hosted on the servers D:\, and the actual permissions on the web root folders themselves only grant IIS_USERS group read on read & execute permissions. I typed the full path into a browser, e.g. \\server\app\live\admin\we b.config12 .bak and it returns a "404 - File or directory not found" error, even though I know it exists in that path. If I try a sample of other files in that directory such as styles.css, or a log txt file I know exists, my browser loads them up fine. So I am wondering if its something to do with the extension that causes the 404 error rather than ACL permissions preventing their download. As the ACL seems to be the same for all files in that directory, so it must be an IIS additional security control, perhaps.
I just need to be sure this would be consistent for all internal employees, that nobody could download a copy of these web config backup files, or if its the behavior of the browser preventing the download as it doesn't know how the handle the extension "bak" and therefore issues a misleading 404 file not found error. How could we check? Or from what I have described, would this be sufficient in terms of security, e.g. the extension prevents the files download via a web browser. If it makes any difference the servers are server 2012.
I also wondered how IIS protects someone from guessing the location of the live web.config and downloading it? Or if somebody knew how, and knew the location, could they download a copy of web.config? Or does the IIS prevent downloading of certain files in a wwwroot.
All servers are internal and not internet facing so the risk is limited to internal employees, and it is a small workforce with limited web server skills I would presume. The web root is hosted on the servers D:\, and the actual permissions on the web root folders themselves only grant IIS_USERS group read on read & execute permissions. I typed the full path into a browser, e.g. \\server\app\live\admin\we
I just need to be sure this would be consistent for all internal employees, that nobody could download a copy of these web config backup files, or if its the behavior of the browser preventing the download as it doesn't know how the handle the extension "bak" and therefore issues a misleading 404 file not found error. How could we check? Or from what I have described, would this be sufficient in terms of security, e.g. the extension prevents the files download via a web browser. If it makes any difference the servers are server 2012.
I also wondered how IIS protects someone from guessing the location of the live web.config and downloading it? Or if somebody knew how, and knew the location, could they download a copy of web.config? Or does the IIS prevent downloading of certain files in a wwwroot.
ASKER
>Without providing individual user permissions, they can not access that file.
how come we can access files such as txt log files and styles.css which are in the exact same directory though? surely the permissions are exactly the same for every file in that folder?
how come we can access files such as txt log files and styles.css which are in the exact same directory though? surely the permissions are exactly the same for every file in that folder?
ASKER
I've just checked and IIS_USERS has the same permissions on the live web.config, the web config backup files, and other files such as styles.css
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Without providing individual user permissions, they can not access that file. IIS_IUSRS permission may be required for them to browse the site but that doesn't mean that they get access the physical access to that location.
From the server, start>>run>>\\server\app\l