To read the article online, visit http://www.4GuysFromRolla.com/webtech/022300-1.shtml

How to configure HTTP READ-Protected Folders

By Brian Atkinson


It is often said that it makes good sense to store your databases outside of the web accessible directories. But in many hosting situations this is not always possible. What if there is a way to have a non-web-accessible directory located inside the web-accessible directory?

Setting up a non-web accessible database from within a web-accessible directory is actually quite simple. Suppose that we have a Default Web Site and several folders underneath it. One of the folders is named Site1 and contains a folder named data. Inside the data folder there is a database named database.mdb, containing the physical path:

D:\inetpub\wwwroot\Site1\data\database.mdb

If you were to visit the specific URL, like: http://www.yourserver.com/Site1/data/database.mdb depending on how your server is set up, you would probably be prompted to save the database (or Access might have just opened the database for you). The point is you had HTTP access to the database. This is bad, because that means anyone who can guess the path to your Access database can now retrieve it!

Also, as discussed in Security Alert - Using includes Improperly from non-Debugged ASP Pages can allow Visitors to View your source code, placing include files without a .ASP extension in directories with read permissions constitutes a security risk.

Now that we've identified why placing sensitive files in public Web site directories is a problem, we will investigate how to prevent this access!

Start by opening the Internet Service Manager and navigating to the data folder. Obtain the properties for this directory and set the IIS permissions as shown in the image below.

Screenshot of IIS 4.0 MMC

Removing the READ Access Permission is the key to preventing web access to this folder. Removing the READ permission tells IIS that HTTP READ requests will not be allowed to this folder. Since nothing should be located inside this folder except a database, it is also safe to change the Permissions settings to NONE also. Keep in mind that these settings have nothing to do with NTFS permissions, which we will look at a bit later.

Save the console settings and exit the MMC. Now let's test these settings. If you try revisiting your Access database through a URL, like we did earlier, You will receive the HTTP Error 403.2, stating that Read Access is Forbidden.

The next question is how can an Active Server Page access the database if there is no READ access? All file access (including ASP activity) must be performed through the context of an NT user. For convenience sake, let's assume that it is the IUSR_4GUYS account. Just because IUSR_4GUYS cannot access the database via the HTTP protocol, does not mean that IUSR_4GUYS cannot access the database via an ASP script on the local file system. To explore this further, we must look at the file system.

In Windows Explorer, navigate to the following folder:

D:\inetpub\wwwroot\Site1\data\database.mdb

Obtain the Security Properties for this folder and notice the NTFS permissions. Without going into excessive detail, here is where you will want to ensure that IUSR_4GUYS has the appropriate permissions to access the database. A database that is queried against would need READ access and updates will require READ and WRITE. READ and WRITE is the maximum permission needed in most cases. If your ASP code allows users to delete fields in the database, this is still simply a file-level WRITE operation and should not be confused with a file-level DELETE. Replace the permissions on all files and subdirectories for the data folder and exit.

That is all that is required to secure a database folder from URL-guessing eyes. This method can also be used to protect text files that are accessed by the FileSystemObject or files that you don't want the IUSR_4GUYS account to directly access over HTTP.

Good Luck and Happy Programming.......


Article Information
Article Title: How to configure HTTP READ-Protected Folders
Article Author: Brian Atkinson
Published Date: Wednesday, February 23, 2000
Article URL: http://www.4GuysFromRolla.com/webtech/022300-1.shtml


Copyright 2017 QuinStreet Inc. All Rights Reserved.
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers