Deny all web access to a directory? (Searched the net already...)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: david (david_at_discussions.microsoft.com)
Date: 09/29/04 

Date: Tue, 28 Sep 2004 19:25:02 -0700

Hi,

[Note: I first posted this to the .security subgroup, but then saw that it
was almost dead, so I am reposting here. Sorry for the dup posts...]

I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.

How can I lockout the database directory to prevent anyone from downloading
the mdb file via HTTP?

I have attached my web.config file at the end of this message.

The problem is that the "database" directory is still viewable by anyone.
Not sure why. No errors. IIS just lets me though. Do I have a typo
somwhere?

Thanks,
David

---------------------------------------------

<configuration>

<system.web>
 <customErrors mode="Off"/>
  
 <!-- Authentication form -->
 <authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
  </authentication>
  
  <!-- Allow anon users to main site -->
  <authorization>
   <allow users="?" />
  </authorization>
 </system.web>
   
 <!-- Set up secure zone for app admin -->
 <location path="app-admin">
  <system.web>
  
   <!-- disallow anon users to this zone-->
   <authorization>
    <deny users="?" />
    </authorization>
   </system.web>
  </location>
  
 <!-- Set up secure zone for database -->
 <location path="database">
  <system.web>
  
   <!-- disallow all users to this zone-->
   <authorization>
    <deny users="*" />
   </authorization>
  </system.web>
 </location>
   
</configuration>

Relevant Pages

  • Re: access 2003 relationships
    ... takes me to a Link dialog box asking for an .mdb file. ... Unfortunately the database ... message is that it cannot find the database without the database directory ... :> Paul D ...
    (microsoft.public.access.dataaccess.pages)
  • Deny web access to a directory?
    ... How can I lockout the database directory to prevent anyone from downloading ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: QRe: Legacy Access 2 VB 4 app, Word 11 merge on XP Pro SP2 client
    ... selecting "blank database" or some such. ... possible to set a simple password on a whole mdb file, ... case, make sure you have a backup of the .mdw file, then launch Access ... >I could not get the app to accept the changes to Notepad within the ...
    (microsoft.public.access.conversion)
  • Re: Basic security questions
    ... Your ASP page would "connect" to the file on the Unix box via ADO or ADO.NET ... Password protected databases are different from database protected by ULS ... ULS protected databases require the use of the .mdw workgroup file ... >> If you double-click an mdb file, the sequence of actions is as follows. ...
    (microsoft.public.access.security)
  • Re: Creating a new Access database file (.mdb) in .NET/C#
    ... create an empty shell MDB file and you can then run ... copy the MDB file to a folder and run the DDL against it ... I'm making changes to a small, portable, single-user database ... Frank McKenney, McKenney Associates ...
    (microsoft.public.dotnet.framework.adonet)