By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,053 Members | 922 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,053 IT Pros & Developers. It's quick & easy.

Protect bin folder from direct download

P: n/a
Hello,

My ASP.NET hoster has made a separate folder in my hosting space and
configured it as separate application in IIS. Further, I created "bin"
folder in this directory, and put in my aspx pages that all use code-behind.
All works fine, but I was dismayed finding out that is is possible to write
direct URL to an assembly in the bin folder, and IIS would allow to download
pure code. That's somewhat very worg, isn't it?

What should I tell my hoster to do inorder to fix this? Actually I was
expecting that IIS6 handles this automatically and makes the bin folder
accessible only to CLI, and does not expose it's contents to http requests.

Thanks,

Pavils
Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Actually this is your hoster fault.
In IIS Managment Console they should revoke read permissions from this
folder. So IIS will not serve any file to the browser from that folder.
Those permissions are given only through IIS Managment Console.

Do not mistake them with file "read" permission to IIS account or ASP.NET
account.
IIS must be able to read the DLL and load it into the memory.

George.
"Pavils Jurjans" <pa****@mailbox.riga.lv> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,

My ASP.NET hoster has made a separate folder in my hosting space and
configured it as separate application in IIS. Further, I created "bin"
folder in this directory, and put in my aspx pages that all use code-behind. All works fine, but I was dismayed finding out that is is possible to write direct URL to an assembly in the bin folder, and IIS would allow to download pure code. That's somewhat very worg, isn't it?

What should I tell my hoster to do inorder to fix this? Actually I was
expecting that IIS6 handles this automatically and makes the bin folder
accessible only to CLI, and does not expose it's contents to http requests.
Thanks,

Pavils

Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.