We would like to provide an extra level of security for files and folders that we can’t move outside the web server document root. A common scenario with shared web hosting is that IIS or Apache and PHP run under the same user account. We can give this additional security by leveraging the difference effect that allow / deny directives have on the web server versus their effect on PHP. In short, we can direct the web server not to go there, while at the same time allow PHP.
IIS Authorization Rules
- To allow/deny IIS, URL Authorization must be “turned on.” In IIS Manager->Connections select the server or a site, then ensure “Features View.” Is “Authorization Rules” in the feature list?
- If not turn it on in Control Panel->Programs and Features->Turn Windows features on or off … Please wait …IIS->WWW Services->Security-> check the box for “URL Authorization”
- click OK to turn on URL Authorization
- Confirm in IIS Manager Authorization Rules are now available
Using IIS Manager handle editing the web.config for all folders-directories in the connections tree.
Example web.config Deny All access to a folder, IIS7.5
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Deny" users="*" /> </authorization> </security> </system.webServer> </configuration>
Apache Access Control
Sorry, still not done.