Article ID: 216803 - Last Review: July 7, 2008 - Revision: 4.1

IIS Hidden Static Files Return HTTP 404 or Access Denied Errors

View products that this article applies to.

System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

This article was previously published under Q216803

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

For more information about IIS 7.0, visit the following Microsoft Web site:

http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)

Expand all | Collapse all

SYMPTOMS

Static files that have the hidden attribute set may return an HTTP 404 or an Access Denied error when browsed, while dynamic files can still be browsed.

Back to the top

CAUSE

This behavior is by design.

Back to the top

RESOLUTION

Configuring access control for all Web files should always be implemented through NTFS permissions.

Back to the top

MORE INFORMATION

Dynamic files such as Active Server Pages (ASP) or Server-Side Includes (SSI) are implemented through script-mapped ISAPI extensions, in this case the Asp.dll and Ssiinc.dll files respectively. These extensions preprocess the executable code in the files being requested and can therefore read hidden files and return the expected HTML output to a client. Direct Web browsing of hidden static files results in a "File not Found" or an "Access Denied" error message.

Back to the top