How to (un)block directories with IIS7 web.config

IIS7 includes an all-new distributed configuration option, which allows for IIS7 configuration to be stored in web.config files, along with asp.net configuration, to be deployed with your content.  This makes transferring IIS7 configuration from your Vista PC to your hosted server as easy as copying files!  Read more about this in the Delegating Configuration section of http://learn.IIS.net

IIS7 also includes a new request filtering feature that protects your Web site by filtering requests.  IIS7 looks out for well known attacks and automatically rejects them.  You can tell IIS7 about special patterns you want to look out for, and you can block access to certain parts of your site, by simply adding new configuration to your Web.config file.  For more information on the request filtering feature, visit the http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/ article.

In this post, I'll show how easy it is to block or unblock sections of your site from being accessed.  This method will work on any IIS7 web server, and it will be ignored on all non-IIS7 web servers, so it should be safe to do no matter the type of application or content. 

By default, IIS7 blocks access to a few well-known special directories, including "bin", "App_Code", "App_Data" and so forth.  This is because these directories often contain special code or data that is normally never accessed directly from the Web.  You may want to protect other directories on your site from being accessed, for example your "log" directory or "database" directory.  Or you may be using an application, like Lightroom, which actually requires access to one of the previous blocked directories like "bin".  You can easily block or unblock access to directories by adding a bit of configuration to your web.config file. 

Scenario:  Let's say I want to block the "log" directory from being accessed on my site?  It's as easy as:

1) create (or edit) the web.config file in your site's home directory

2) edit it as follows:

<configuration>

    <system.webServer>

        <security>

            <requestFiltering>

                <hiddenSegments>

                    <add segment="log" />

                </hiddenSegments>

            </requestFiltering>

        </security>

    </system.webServer>

</configuration>

Note: if you instead want to unblock a directory like "bin", to enable applications like Lightroom to work with IIS7, the configuration required is exactly the same as above, except for the <add segment="log"/> directive.  Change it to be <remove segment="bin" /> and IIS7 will allow access to "bin" directories on your site (Careful: if you do this on an ASP.NET site you may be unintentionally allowing access to assemblies that are normally protected)

Also, if you'd like a fancy UI to help you in managing your request filtering rules, check out the new IIS7 Admin Pack which just shipped and includes a new UI feature which makes managing this feature easy! 

No Comments