HOW TO: Use ASP.NET to Protect File Types


This step-by-step article describes how to add additional file types to an ASP.NET application to protect certain file types. By default, ASP.NET is configured to intercept and to stop requests for several different file types that are used in ASP.NET applications. These file types are ones that must not be retrieved by users. These file types include .config files that store configuration information for the application and .cs files that store the source code of the application. ASP.NET ensures the privacy of these files by associating both file types with System.Web.HttpForbiddenHandler. System.Web.HttpForbiddenHandler returns an error to the user who requests the file. This method of protecting files can be used for any file type. This method is useful for protecting files that exist in the folder of the Web application and must never be retrieved by users.

back to the top

Edit Script Mappings in Internet Services Manager

Microsoft Internet Information Services (IIS) 5.0 determines how to handle requests based on the script mapping for the file name extension of the request. These script mappings are adjusted by using Internet Services Manager. For ASP.NET to block file types, you must first configure IIS 5.0 to forward those requests to ASP.NET. To do this, follow these steps:
  1. On the taskbar click start, point to
    Settings, and then click Control Panel.
  2. Double-click to open the Administrative Tools folder and then double-click to run Internet Services Manager.
  3. Right-click the virtual server or the virtual folder that contain your ASP.NET application and then click
  4. Select the Home Directory or the
    Directory tab. If an application has not been created for the virtual folder, click Create under Application Settings.
  5. Under Application Settings, click
  6. To identify the location of the Aspnet_isapi.dll file that handles the ASP.NET requests, select the .aspx application mapping and then click Edit.
  7. The Add/Edit Application Extension Mappingdialog box appears. Select the text in the Executable field and then press CTRL+C to copy the text to your Clipboard.
  8. Click Cancel to return to the
    Application Configuration dialog box.
  9. Now, add application mappings for each extension that you want ASP.NET to block. To do this, click Add. Then, in the
    Executable field, press CTRL+V to paste the path of your Aspnet_isapi.dll file.
  10. In the Verbs section, select the
    All Verbs option. Verify that the Script Engine check box is selected and that the Check If File Exists check box is not selected.
  11. Click OK.
  12. Repeat this procedure for every file name extension that you want to have processed by ASP.NET.
back to the top

Configure a File Type That You Want Blocked

To block additional file types for an ASP.NET application, follow these steps:
  1. Open the Web.config file in a text editor such as Notepad. The Web.config file is located in the root directory of your Web application.
  2. In the Web.config file add the <httpHandlers> configuration element under the <system.web> element.

    Note You must not copy the <httpHandlers> element from the Machine.config file. The reason you must not copy the <httpHandlers> element is because the <httpHandlers> element permits you to add additional file types without completely overriding the Machine.config settings.
  3. In the <httpHandlers> element, use <add> sub tags to specify additional file types that you want blocked. Set the verb attribute equal to “*”. When you do this, you specify that all types of HTTP requests are blocked. Define the path attribute as a wildcard character that matches the types of files you want to block. For example, you may specify “*.mdb”. Finally, set the type attribute to “System.Web.HttpForbiddenHandler". The code sample that follows shows how to configure the "httpHandlers" section in the Web.config file:
    <add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.private" type="System.Web.HttpForbiddenHandler" />
  4. Save the Web.config file. The ASP.NET application automatically restarts.
back to the top


For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736 HOW TO: Secure an ASP.NET Application by Using Windows Security
315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
818014 HOW TO: Secure Applications That Are Built on the .NET Framework
back to the top

Artikelnummer: 815152 – Letzte Überarbeitung: 24.03.2009 – Revision: 1