IIS7: How to block access with a web.config file?

Posted by neves on Server Fault See other posts from Server Fault or by neves
Published on 2009-10-08T19:22:32Z Indexed on 2012/12/04 23:06 UTC
Read the original article Hit count: 285

Filed under:

iis

|

iis7

|

.htaccess

|

web.config

I know that IIS7 allows me to have a per directory configuration with the web.config xml file. I have a directory with some configuration files that don't want to be web accessible. A local web.config file forbidding read access to it would be a nice solution.

What should be the contents of a web.config file to forbid web access to the files?

Edit: I'm trying to put a web.config file with these contents in a file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
            <system.web>
                    <authorization>
                            <deny users="*" /> <!-- Denies all users -->
                    </authorization>
            </system.web>
</configuration>

But I can still directly access a file inside the directory. What's wrong with it? How do I debug what's happening?

© Server Fault or respective owner

Related posts about iis

How to find and fix issue with Pound and HAProxy

as seen on Server Fault - Search for 'Server Fault'
Pound sits in front of HAProxy (on the same box) to perform SSL off-load. Requests are passed to 127.0.0.1:80 where HAProxy then balances the requests across backend servers for a hosted ASP .NET web app. A user is getting HTTP error 500 (Internal Server Error) returned to their browser this morning… >>> More
How to migrate deploy RESTful WCF Web Service from IIS 6.0 to IIS 7.0

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi all, I have a WCF Restful Web Service. It works find under VS and IIS 6.0. Now I want to move it to another work station with IIS 7.0 on it. I tried to copy all the deploy file from IIS 6 to IIS 7, but it cannot be accessed by other client, except for the request from it's own machine. I don't… >>> More
Server with IIS and Apache - how to SSL encrypt Apache with IIS

as seen on Server Fault - Search for 'Server Fault'
I have a Windows Server 2003 box already setup and working with IIS 6. IIS is set to serve a site out over both HTTP and HTTPS connections using default ports. For various reasons I need to set Apache up on the same server and it needs to serve its pages to end-users as SSL encrypted HTTPS pages… >>> More
Having IIS remote management problem with my vista machine managing Server 2008 IIS 7.5

as seen on Server Fault - Search for 'Server Fault'
I am trying to use IIS 7 Remote Management installed on Vista Ultimate SP1. Connection is to IIS 7.5 on Windows Server 2008 Webserver R2. Tried on both full & core install. When I connect up, the console wants to download and install new features. Microsoft.Web.Management.IisClient 7.5.0.0 Microsoft… >>> More
MVC4 App opens with directory listing and gives a 404 for any direct URL's entered in the browser

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I've just deployed a previously (on my local IIS) working MVC4 app to IIS 7.5 on the dev server. After tweaking this and that - one knows how these things get forgotten - the app finally launches, but shows a directory listing of the app root. Clicking on most links there works, opening the directory… >>> More

Related posts about iis7

Configuring IIS7 404 page when using IIS7 urlrewrite module

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I've got custom errors to work for .aspx page like: www.domain.com/whateverdfdgdfg.aspx But, when no .aspx url is requested, (like http://www.domain.com/hfdkfdh4545) it results in an error: HTTP Error 404.0 - Not Found The resource you are looking for has been removed, had its name changed… >>> More
How to create a Subdomain in IIS7?

as seen on Server Fault - Search for 'Server Fault'
In IIS7 I have a site: http://www.mydomain.com/mysite How can I get the same site to appear as: http://mysite.mydomain.com ? I already have the DNS set up and can ping it, I just do not know how to configure it in IIS7. >>> More
How can I control which IP address IIS7 uses?

as seen on Server Fault - Search for 'Server Fault'
In Win2k3 I used httpcfg to tell IIS to listen to specific IP addresses on the server. I want to run Apache with VisualSVN Server on port 80 on another IP address but IIS7 binds to all ports by default. What utility for IIS7 controls the IIS7 bindings? Update: I found the answer. There is a utility… >>> More
WCF service hosted in IIS7 with administrator rights?

as seen on Server Fault - Search for 'Server Fault'
Hello, How do I grant administrator rights to a running WCF service hosted in IIS7? The problem is, my code works fine in a test console application runned as an administrator, but the same code used from WCF service in IIS7 fails. When I run the same console test application without admin rights… >>> More
authentication problem on windows vista (cookie is getting written but httpcontext.current.user is n

as seen on Stack Overflow - Search for 'Stack Overflow'
authentication problem on windows vista (iis7) (cookie is getting written but httpcontext.current.user is null) >>> More