Client Login Area
Main Menu
Results 1 to 4 of 4

Thread: How To: Password protect files and directories under Windows 2008/IIS 7.0

  1. #1
    ASPnix Administration Roma's Avatar
    Join Date
    June 27, 2005
    Location
    Denver, CO
    Posts
    4,066

    Lightbulb How To: Password protect files and directories under Windows 2008/IIS 7.0

    We have created a Password Protection application which works with .NET which you can use to secure files and folders under your Windows 2008/IIS 7.0 hosting account. This application will not run under Windows 2003 and IIS 6.

    Disclaimer: This application has been tested with ASPnix accounts using the Windows 2008/IIS 7.0/.NET 2.0 platform, and cannot be confirmed to work with any other hosting provider or any other hosting platform. Please note that this software should be used at your own risk. ASPnix takes no responsibility for the use or misuse of the software. Further, ASPnix takes no responsibility for any potential failure of the software resulting in the exposure of secured files or directories as a result of the software's use or misuse.

    Download & Contents

    To start, you will need to download the application. Once you have downloaded the .ZIP file, you will need to extract the contents to your computer.

    Next you will need to upload all the files and create all the directories on your site. Please make sure when uploading that you preserve the directory and file structure. This will ensure that the application functions as designed.

    Please Note: If you already have a web.config file on your site, you will need to merge the contents of this file with the one which exists on your site already.

    User Administration

    Once everything is on your site, you should then open your browser and connect to http://your-site.com/admin/admin.aspx, replacing "your-site.com" with your actual domain name. You can then log in using:
    Code:
    Username: Admin
    Password: changethis
    Once you have logged in, you should see 2 existing users named Admin and User. The first thing you should do is to change the Admin password to one that is strong and unique. To do this, type the new password in the field provided and click on Hash Pass. Copy the text that it displays, and Edit the Admin user to change the password.

    There is also a test user named User which you can use to experiment with.

    Code:
    Username: User
    Password: keepitsecret
    It is recommended that you either delete this user or change the password before you start using the application to secure files and directories. In addition, you can create as many other users as you need.

    Securing Files and Folders

    By default, the directories named secure and admin are the only directories that are protected. The admin directory is set to allow only the Admin user to login. Since this is where all users are configured, this was added as an extra level of security. The secure directory allows all authenticated users to log in, while not allowing anonymous or unauthenticated users access. You can place any files or directories under the secure directory and they will automatically be password protected.

    If you want to change the name of the secured directory, add new secured directories or edit who is allowed to access which directories, you will need to edit the web.config file. Once you open the file, you'll see an entry like this:

    Code:
    <location path="secure">
       <system.web>
          <authorization>
             <deny users="?"/>
         </authorization>
       </system.web>
    </location>
    If you want to secure another directory, you can create a similar entry and change the value of the location path.

    Allow and Deny Users

    IMPORTANT: At the very least, for a directory to be secured you must deny access to anonymous or unauthenticated users (using a ?) as follows:

    Code:
    <deny users="?"/>
    If you want to allow only certain users to access the directory and deny everyone else, you can configure it as follows to deny all users (using a *) and then allow only specific exceptions in the allow users section. In this example, all users are prevented from logging in except username1 and username2:

    Code:
    <allow users="username1,username2"/>
    <deny users="*"/>
    If you want to deny all users, you can use * as a wildcard in the deny users or section.

    You should not use the * or ? wildcards in the allow users section, as it will allow access to all users and all anonymous/unauthenticated users.

    IMPORTANT: The allow users section is optional, but it is highly recommended that a deny users section is always used. If you do not include a deny users section, all visitors to your site will be able to access the directory. Therefore you should never remove the deny users section.
    Attached Files Attached Files
    Roma
    Friendly ASPnix Administrator


    https://www.aspnix.com
    roma@aspnix.com



    ASPnix on Facebook

  2. #2
    Verified Community Member
    Join Date
    December 8, 2009
    Posts
    17

    Default

    Thanks Roma. i will look at this later.

  3. #3
    Unverified User
    Join Date
    April 12, 2010
    Posts
    1

    Default

    I got this installed and working with no problem. But I am a .net developer and I understand what's going on with this and luckily this was not for an existing .net app and I didn't have to merge config files. I think it's a shame that MS has put hosting providers in this position where we need to write software to do something as simple as protect a directory. Hopefully they will have a better solution for you and us in the future.

  4. #4
    ASPnix Administration Roma's Avatar
    Join Date
    June 27, 2005
    Location
    Denver, CO
    Posts
    4,066

    Default

    Our developers are working on such module for our next control panel. glad you got it working for now.
    Roma
    Friendly ASPnix Administrator


    https://www.aspnix.com
    roma@aspnix.com



    ASPnix on Facebook

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •