This step-by-step article describes how to add additional file types to an ASP.NET application to protect certain file types. By default, ASP.NET is configured to intercept and to stop requests for several different file types that are used in ASP.NET applications. These file types are ones that must not be retrieved by users. These file types include .config files that store configuration information for the application and .cs files that store the source code of the application. ASP.NET ensures the privacy of these files by associating both file types with System.Web.HttpForbiddenHandler. System.Web.HttpForbiddenHandler returns an error to the user who requests the file. This method of protecting files can be used for any file type. This method is useful for protecting files that exist in the folder of the Web application and must never be retrieved by users.
back to the top
back to the top
- On the taskbar click start, point to
Settings, and then click Control Panel.
- Double-click to open the Administrative Tools folder and then double-click to run Internet Services Manager.
- Right-click the virtual server or the virtual folder that contain your ASP.NET application and then click
- Select the Home Directory or the
Directory tab. If an application has not been created for the virtual folder, click Create under Application Settings.
- Under Application Settings, click
- To identify the location of the Aspnet_isapi.dll file that handles the ASP.NET requests, select the .aspx application mapping and then click Edit.
- The Add/Edit Application Extension Mappingdialog box appears. Select the text in the Executable field and then press CTRL+C to copy the text to your Clipboard.
- Click Cancel to return to the
Application Configuration dialog box.
- Now, add application mappings for each extension that you want ASP.NET to block. To do this, click Add. Then, in the
Executable field, press CTRL+V to paste the path of your Aspnet_isapi.dll file.
- In the Verbs section, select the
All Verbs option. Verify that the Script Engine check box is selected and that the Check If File Exists check box is not selected.
- Click OK.
- Repeat this procedure for every file name extension that you want to have processed by ASP.NET.
- Open the Web.config file in a text editor such as Notepad. The Web.config file is located in the root directory of your Web application.
- In the Web.config file add the <httpHandlers> configuration element under the <system.web> element.
Note You must not copy the <httpHandlers> element from the Machine.config file. The reason you must not copy the <httpHandlers> element is because the <httpHandlers> element permits you to add additional file types without completely overriding the Machine.config settings.
- In the <httpHandlers> element, use <add> sub tags to specify additional file types that you want blocked. Set the verb attribute equal to “*”. When you do this, you specify that all types of HTTP requests are blocked. Define the path attribute as a wildcard character that matches the types of files you want to block. For example, you may specify “*.mdb”. Finally, set the type attribute to “System.Web.HttpForbiddenHandler". The code sample that follows shows how to configure the "httpHandlers" section in the Web.config file:
<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.private" type="System.Web.HttpForbiddenHandler" />
- Save the Web.config file. The ASP.NET application automatically restarts.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736 HOW TO: Secure an ASP.NET Application by Using Windows Security
315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
818014 HOW TO: Secure Applications That Are Built on the .NET Frameworkback to the top