By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,822 Members | 729 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,822 IT Pros & Developers. It's quick & easy.

Using NTFS security to protect files served via asp/iis

P: n/a
Folks:

I have some zip files I'd like to serve to authenticated users on my
site, but would like to prevent unauthorized users from using an
absolute path to get to these zip files. For example
http://blah.com/file.zip should not be accessible directly without
authenticating. However, my current authenticaion goes to an LDAP
server and I'd rather not prompt users for another username and
password.

The only way I can figure this is to create a local user account on
the server, then set it to have NTFS read permissions for file. The
tricky part is using asp to pass windows authentication information in
the background to the server. Once it's authenticated, the download
begins. If a user somehow figures the absolute path to ther file, he
should be prevented from downloading it.

Is this possible?

Help.

Roberto
Jul 19 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
"travelling_nerd" <tr*************@yahoo.com> wrote in message
news:96*************************@posting.google.co m...
Folks:

I have some zip files I'd like to serve to authenticated users on my
site, but would like to prevent unauthorized users from using an
absolute path to get to these zip files. For example
http://blah.com/file.zip should not be accessible directly without
authenticating. However, my current authenticaion goes to an LDAP
server and I'd rather not prompt users for another username and
password.

The only way I can figure this is to create a local user account on
the server, then set it to have NTFS read permissions for file. The
tricky part is using asp to pass windows authentication information in
the background to the server. Once it's authenticated, the download
begins. If a user somehow figures the absolute path to ther file, he
should be prevented from downloading it.

Is this possible?


The whole NTFS part is simple. I'm not sure I understand why you want ASP
to be involved.

IIS 5 Documentation
http://www.microsoft.com/windows2000/en/server/iis/
Microsoft Internet Information Server
Administration
Server Administration
Security
Authentication
Access Control

IIS 6 Documentation
http://www.microsoft.com/technet/pro...entication.asp
HOW TO: Configure IIS 5.0 Web Site Authentication in Windows 2000
http://support.microsoft.com/?id=310344
HOW TO: Configure User and Group Access on an Intranet in Windows 2000 or
Windows NT 4.0
http://support.microsoft.com/?id=325358
HOW TO: Configure IIS Web Site Authentication in Windows Server 2003
http://support.microsoft.com/default...b;en-us;324274

Make sure you disable simple file sharing in XP
http://support.microsoft.com/default...b;en-us;304040
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/

Jul 19 '05 #2

P: n/a
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<c4**********@kcweb01.netnews.att.com>...
"travelling_nerd" <tr*************@yahoo.com> wrote in message
news:96*************************@posting.google.co m...
Folks:

I have some zip files I'd like to serve to authenticated users on my
site, but would like to prevent unauthorized users from using an
absolute path to get to these zip files. For example
http://blah.com/file.zip should not be accessible directly without
authenticating. However, my current authenticaion goes to an LDAP
server and I'd rather not prompt users for another username and
password.

The only way I can figure this is to create a local user account on
the server, then set it to have NTFS read permissions for file. The
tricky part is using asp to pass windows authentication information in
the background to the server. Once it's authenticated, the download
begins. If a user somehow figures the absolute path to ther file, he
should be prevented from downloading it.

Is this possible?


The whole NTFS part is simple. I'm not sure I understand why you want ASP
to be involved.


Sorry for the lack of clarity. What I want to do is authenticate, via
asp, access to a file that has specific ntfs permissions. For example.
A local user on the server is called "bob". I want only "bob" to
download the file, but I don't want the web browser to prompt him for
his username and pw. I want to hard code it in asp. Only bob will know
the url to the file.
Jul 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.