Hello,
following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
server running a Internet Application.;
1. What is the difference between MIME types & ISAPI filter.
2. How can I restrict a file (*.pdf) from being accessed directly from the
URL through ISAPI filter.
3. How can i secure directories & files in II6.0
Regards
Ibrahim
"Ibrahim."
news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> Hello,
>
> following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
> server running a Internet Application.;
>
> 1. What is the difference between MIME types & ISAPI filter.
A MIME type is a header that the server sends back to the client to tell the
client (e.g. browser) what type of file is coming.
ISAPI is an extensibility API for IIS, which allows you to write code that
extends the functionality of IIS
> 2. How can I restrict a file (*.pdf) from being accessed directly from the
> URL through ISAPI filter.
You need to write an ISAPI filter that does that. You can use something like
URLScan (which is an ISAPI filter from Microsoft) to prevent direct requests
for .pdf files.
> 3. How can i secure directories & files in II6.0
There are lots of ways. You need to tell us what "secure" means in your
case.
Cheers
Ken
Hello Ken,
The problem I'm facing is that I'm able to secure the directories but not
the documents (*.pdf). This is basically a upload folder in virtual directory
which has read/write permission set.
If the attacker is aware of the file name, he can directly access the file
without even loggin in to the sytem by specifying the path in the URL.
I would appreciate if you can guide me in how to secure basic entities that
are not supposed to be accessed by the outside world.
Thanks in advance.
Ibrahim.
"Ken Schaefer" wrote:
> "Ibrahim."
> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> > Hello,
> >
> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
> > server running a Internet Application.;
> >
> > 1. What is the difference between MIME types & ISAPI filter.
>
> A MIME type is a header that the server sends back to the client to tell the
> client (e.g. browser) what type of file is coming.
>
> ISAPI is an extensibility API for IIS, which allows you to write code that
> extends the functionality of IIS
>
>
> > 2. How can I restrict a file (*.pdf) from being accessed directly from the
> > URL through ISAPI filter.
>
> You need to write an ISAPI filter that does that. You can use something like
> URLScan (which is an ISAPI filter from Microsoft) to prevent direct requests
> for .pdf files.
>
>
> > 3. How can i secure directories & files in II6.0
>
> There are lots of ways. You need to tell us what "secure" means in your
> case.
>
> Cheers
> Ken
>
>
>
You can either:
a) use NTFS permissions. The user needs a valid username/password to read
the file
b) write your own authN mechanism. Store the PDFs outside the webroot (so
they are not accessible directly). Instead you have an ASP.NET page (or ASP,
or PHP, or whatever) that authenticates/authorizes the user. If the user is
allowed to access the file, you read it off the disk (e.g. using the
FileSystemObject) and stream it to the user
Cheers
Ken
"Ibrahim."
news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> Hello Ken,
>
> The problem I'm facing is that I'm able to secure the directories but not
> the documents (*.pdf). This is basically a upload folder in virtual
> directory
> which has read/write permission set.
>
> If the attacker is aware of the file name, he can directly access the file
> without even loggin in to the sytem by specifying the path in the URL.
>
> I would appreciate if you can guide me in how to secure basic entities
> that
> are not supposed to be accessed by the outside world.
>
> Thanks in advance.
>
> Ibrahim.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> "Ibrahim."
>> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> > Hello,
>> >
>> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
>> > server running a Internet Application.;
>> >
>> > 1. What is the difference between MIME types & ISAPI filter.
>>
>> A MIME type is a header that the server sends back to the client to tell
>> the
>> client (e.g. browser) what type of file is coming.
>>
>> ISAPI is an extensibility API for IIS, which allows you to write code
>> that
>> extends the functionality of IIS
>>
>>
>> > 2. How can I restrict a file (*.pdf) from being accessed directly from
>> > the
>> > URL through ISAPI filter.
>>
>> You need to write an ISAPI filter that does that. You can use something
>> like
>> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> requests
>> for .pdf files.
>>
>>
>> > 3. How can i secure directories & files in II6.0
>>
>> There are lots of ways. You need to tell us what "secure" means in your
>> case.
>>
>> Cheers
>> Ken
>>
>>
>>
Hi Ken,
About your point # (a);
Yes this is achieved. Permission are set. Having said that further the web
site uses forms authentication mode, that means username/password are looked
up in a database. No windows authentication is done.
About your point # (b)
The system uses a authentication mechanishm through forms authentication.
Unauthroized access is prevented whenever Asp page are accessed, but when a
document is accessed throught the URL directly then I need to authenticate
forceful browsing too?
Thanks in advance.
"Ken Schaefer" wrote:
> You can either:
> a) use NTFS permissions. The user needs a valid username/password to read
> the file
>
> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> they are not accessible directly). Instead you have an ASP.NET page (or ASP,
> or PHP, or whatever) that authenticates/authorizes the user. If the user is
> allowed to access the file, you read it off the disk (e.g. using the
> FileSystemObject) and stream it to the user
>
> Cheers
> Ken
>
> "Ibrahim."
> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> > Hello Ken,
> >
> > The problem I'm facing is that I'm able to secure the directories but not
> > the documents (*.pdf). This is basically a upload folder in virtual
> > directory
> > which has read/write permission set.
> >
> > If the attacker is aware of the file name, he can directly access the file
> > without even loggin in to the sytem by specifying the path in the URL.
> >
> > I would appreciate if you can guide me in how to secure basic entities
> > that
> > are not supposed to be accessed by the outside world.
> >
> > Thanks in advance.
> >
> > Ibrahim.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> "Ibrahim."
> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> > Hello,
> >> >
> >> > following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003
> >> > server running a Internet Application.;
> >> >
> >> > 1. What is the difference between MIME types & ISAPI filter.
> >>
> >> A MIME type is a header that the server sends back to the client to tell
> >> the
> >> client (e.g. browser) what type of file is coming.
> >>
> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> that
> >> extends the functionality of IIS
> >>
> >>
> >> > 2. How can I restrict a file (*.pdf) from being accessed directly from
> >> > the
> >> > URL through ISAPI filter.
> >>
> >> You need to write an ISAPI filter that does that. You can use something
> >> like
> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> requests
> >> for .pdf files.
> >>
> >>
> >> > 3. How can i secure directories & files in II6.0
> >>
> >> There are lots of ways. You need to tell us what "secure" means in your
> >> case.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >>
>
>
>
Your problem comes about because:
1. you are turning off IIS-enforced authentication/authorization
requirements. You are using Forms Authentication which maps to one specific
NT User account, and that User account already has access. Thus, anyone that
can escape Forms Authentication, as you've discovered, has access to the
resource. In other words, you are not using ACLs so ACLs won't help you.
2. You are using custom authentication mechanism and then forget to apply it
to all web-accessible resources -- which you've noticed that attackers
knowing the exact URL can sidestep your custom authentication.
If you want ASP.Net based forms-authentication to apply to all resource
types, then configure aspnet_isapi.dll as a Wildcard Application Mapping. Of
course, doing this is technically not supported, and it takes a little more
knowledge of ASP.Net and IIS6 and has some caveats to be aware of.
I suggest reading the following blog entries to get an understanding of
what's going on and hopefully you'll see what you need to do:
http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_II S_6_Request_Processing_Basics_Part_1.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/15/Why_Wild card_application_mapping_can_disable_Default_Document_resolu tion.aspx
http://blogs.msdn.com/david.wang/archive/2005/10/16/Why_Wild card_application_mapping_is_not_catching_404s.aspx
http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO_Ru n_Console_Applications_from_IIS6_on_Windows_Server_2003_Part _2.aspx
FYI: all of this has nothing to do with ISAPI Filters nor MIME Types because
you are talking about AuthN and AuthZ with ASP.Net.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ibrahim."
news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> Hi Ken,
>
> About your point # (a);
>
> Yes this is achieved. Permission are set. Having said that further the web
> site uses forms authentication mode, that means username/password are
> looked
> up in a database. No windows authentication is done.
>
> About your point # (b)
>
> The system uses a authentication mechanishm through forms authentication.
> Unauthroized access is prevented whenever Asp page are accessed, but when
> a
> document is accessed throught the URL directly then I need to authenticate
> forceful browsing too?
>
> Thanks in advance.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> You can either:
>> a) use NTFS permissions. The user needs a valid username/password to read
>> the file
>>
>> b) write your own authN mechanism. Store the PDFs outside the webroot (so
>> they are not accessible directly). Instead you have an ASP.NET page (or
>> ASP,
>> or PHP, or whatever) that authenticates/authorizes the user. If the user
>> is
>> allowed to access the file, you read it off the disk (e.g. using the
>> FileSystemObject) and stream it to the user
>>
>> Cheers
>> Ken
>>
>> "Ibrahim."
>> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
>> > Hello Ken,
>> >
>> > The problem I'm facing is that I'm able to secure the directories but
>> > not
>> > the documents (*.pdf). This is basically a upload folder in virtual
>> > directory
>> > which has read/write permission set.
>> >
>> > If the attacker is aware of the file name, he can directly access the
>> > file
>> > without even loggin in to the sytem by specifying the path in the URL.
>> >
>> > I would appreciate if you can guide me in how to secure basic entities
>> > that
>> > are not supposed to be accessed by the outside world.
>> >
>> > Thanks in advance.
>> >
>> > Ibrahim.
>> >
>> >
>> >
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> "Ibrahim."
>> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> >> > Hello,
>> >> >
>> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
>> >> > Win2003
>> >> > server running a Internet Application.;
>> >> >
>> >> > 1. What is the difference between MIME types & ISAPI filter.
>> >>
>> >> A MIME type is a header that the server sends back to the client to
>> >> tell
>> >> the
>> >> client (e.g. browser) what type of file is coming.
>> >>
>> >> ISAPI is an extensibility API for IIS, which allows you to write code
>> >> that
>> >> extends the functionality of IIS
>> >>
>> >>
>> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
>> >> > from
>> >> > the
>> >> > URL through ISAPI filter.
>> >>
>> >> You need to write an ISAPI filter that does that. You can use
>> >> something
>> >> like
>> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> >> requests
>> >> for .pdf files.
>> >>
>> >>
>> >> > 3. How can i secure directories & files in II6.0
>> >>
>> >> There are lots of ways. You need to tell us what "secure" means in
>> >> your
>> >> case.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>
You are not using NTFS permissions - you are using a feature of ASP.NET
(forms authentication), which only works (by default) for files processed by
the ASP.NET ISAPI extension. For an explanation ofwhat is happening (and a
diagram that makes it easier to understand) see:
http://www.microsoft.com/technet/community/columns/insider/i isi1005.mspx#ELG
That also has instructions on how to configure additional file types to be
handled by ASP.NET
Cheers
Ken
"Ibrahim."
news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> Hi Ken,
>
> About your point # (a);
>
> Yes this is achieved. Permission are set. Having said that further the web
> site uses forms authentication mode, that means username/password are
> looked
> up in a database. No windows authentication is done.
>
> About your point # (b)
>
> The system uses a authentication mechanishm through forms authentication.
> Unauthroized access is prevented whenever Asp page are accessed, but when
> a
> document is accessed throught the URL directly then I need to authenticate
> forceful browsing too?
>
> Thanks in advance.
>
>
>
>
> "Ken Schaefer" wrote:
>
>> You can either:
>> a) use NTFS permissions. The user needs a valid username/password to read
>> the file
>>
>> b) write your own authN mechanism. Store the PDFs outside the webroot (so
>> they are not accessible directly). Instead you have an ASP.NET page (or
>> ASP,
>> or PHP, or whatever) that authenticates/authorizes the user. If the user
>> is
>> allowed to access the file, you read it off the disk (e.g. using the
>> FileSystemObject) and stream it to the user
>>
>> Cheers
>> Ken
>>
>> "Ibrahim."
>> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
>> > Hello Ken,
>> >
>> > The problem I'm facing is that I'm able to secure the directories but
>> > not
>> > the documents (*.pdf). This is basically a upload folder in virtual
>> > directory
>> > which has read/write permission set.
>> >
>> > If the attacker is aware of the file name, he can directly access the
>> > file
>> > without even loggin in to the sytem by specifying the path in the URL.
>> >
>> > I would appreciate if you can guide me in how to secure basic entities
>> > that
>> > are not supposed to be accessed by the outside world.
>> >
>> > Thanks in advance.
>> >
>> > Ibrahim.
>> >
>> >
>> >
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> "Ibrahim."
>> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
>> >> > Hello,
>> >> >
>> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
>> >> > Win2003
>> >> > server running a Internet Application.;
>> >> >
>> >> > 1. What is the difference between MIME types & ISAPI filter.
>> >>
>> >> A MIME type is a header that the server sends back to the client to
>> >> tell
>> >> the
>> >> client (e.g. browser) what type of file is coming.
>> >>
>> >> ISAPI is an extensibility API for IIS, which allows you to write code
>> >> that
>> >> extends the functionality of IIS
>> >>
>> >>
>> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
>> >> > from
>> >> > the
>> >> > URL through ISAPI filter.
>> >>
>> >> You need to write an ISAPI filter that does that. You can use
>> >> something
>> >> like
>> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
>> >> requests
>> >> for .pdf files.
>> >>
>> >>
>> >> > 3. How can i secure directories & files in II6.0
>> >>
>> >> There are lots of ways. You need to tell us what "secure" means in
>> >> your
>> >> case.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>
Hi,
Thanks for your informative reply & links. I'm working out possible way out
for this solution.
Thanks.
"David Wang [Msft]" wrote:
> Your problem comes about because:
> 1. you are turning off IIS-enforced authentication/authorization
> requirements. You are using Forms Authentication which maps to one specific
> NT User account, and that User account already has access. Thus, anyone that
> can escape Forms Authentication, as you've discovered, has access to the
> resource. In other words, you are not using ACLs so ACLs won't help you.
>
> 2. You are using custom authentication mechanism and then forget to apply it
> to all web-accessible resources -- which you've noticed that attackers
> knowing the exact URL can sidestep your custom authentication.
>
>
> If you want ASP.Net based forms-authentication to apply to all resource
> types, then configure aspnet_isapi.dll as a Wildcard Application Mapping. Of
> course, doing this is technically not supported, and it takes a little more
> knowledge of ASP.Net and IIS6 and has some caveats to be aware of.
>
> I suggest reading the following blog entries to get an understanding of
> what's going on and hopefully you'll see what you need to do:
> http://blogs.msdn.com/david.wang/archive/2005/10/14/HOWTO_II S_6_Request_Processing_Basics_Part_1.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/15/Why_Wild card_application_mapping_can_disable_Default_Document_resolu tion.aspx
> http://blogs.msdn.com/david.wang/archive/2005/10/16/Why_Wild card_application_mapping_is_not_catching_404s.aspx
> http://blogs.msdn.com/david.wang/archive/2006/04/28/HOWTO_Ru n_Console_Applications_from_IIS6_on_Windows_Server_2003_Part _2.aspx
>
> FYI: all of this has nothing to do with ISAPI Filters nor MIME Types because
> you are talking about AuthN and AuthZ with ASP.Net.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Ibrahim."
> news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> > Hi Ken,
> >
> > About your point # (a);
> >
> > Yes this is achieved. Permission are set. Having said that further the web
> > site uses forms authentication mode, that means username/password are
> > looked
> > up in a database. No windows authentication is done.
> >
> > About your point # (b)
> >
> > The system uses a authentication mechanishm through forms authentication.
> > Unauthroized access is prevented whenever Asp page are accessed, but when
> > a
> > document is accessed throught the URL directly then I need to authenticate
> > forceful browsing too?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> You can either:
> >> a) use NTFS permissions. The user needs a valid username/password to read
> >> the file
> >>
> >> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> >> they are not accessible directly). Instead you have an ASP.NET page (or
> >> ASP,
> >> or PHP, or whatever) that authenticates/authorizes the user. If the user
> >> is
> >> allowed to access the file, you read it off the disk (e.g. using the
> >> FileSystemObject) and stream it to the user
> >>
> >> Cheers
> >> Ken
> >>
> >> "Ibrahim."
> >> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> >> > Hello Ken,
> >> >
> >> > The problem I'm facing is that I'm able to secure the directories but
> >> > not
> >> > the documents (*.pdf). This is basically a upload folder in virtual
> >> > directory
> >> > which has read/write permission set.
> >> >
> >> > If the attacker is aware of the file name, he can directly access the
> >> > file
> >> > without even loggin in to the sytem by specifying the path in the URL.
> >> >
> >> > I would appreciate if you can guide me in how to secure basic entities
> >> > that
> >> > are not supposed to be accessed by the outside world.
> >> >
> >> > Thanks in advance.
> >> >
> >> > Ibrahim.
> >> >
> >> >
> >> >
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> "Ibrahim."
> >> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> >> > Hello,
> >> >> >
> >> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
> >> >> > Win2003
> >> >> > server running a Internet Application.;
> >> >> >
> >> >> > 1. What is the difference between MIME types & ISAPI filter.
> >> >>
> >> >> A MIME type is a header that the server sends back to the client to
> >> >> tell
> >> >> the
> >> >> client (e.g. browser) what type of file is coming.
> >> >>
> >> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> >> that
> >> >> extends the functionality of IIS
> >> >>
> >> >>
> >> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
> >> >> > from
> >> >> > the
> >> >> > URL through ISAPI filter.
> >> >>
> >> >> You need to write an ISAPI filter that does that. You can use
> >> >> something
> >> >> like
> >> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> >> requests
> >> >> for .pdf files.
> >> >>
> >> >>
> >> >> > 3. How can i secure directories & files in II6.0
> >> >>
> >> >> There are lots of ways. You need to tell us what "secure" means in
> >> >> your
> >> >> case.
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
hi ken,
Thanks for your reply. I'm working out implement this by adding a filter
(*.pdf) to ISAPI filter.
Thanks.
"Ken Schaefer" wrote:
> You are not using NTFS permissions - you are using a feature of ASP.NET
> (forms authentication), which only works (by default) for files processed by
> the ASP.NET ISAPI extension. For an explanation ofwhat is happening (and a
> diagram that makes it easier to understand) see:
> http://www.microsoft.com/technet/community/columns/insider/i isi1005.mspx#ELG
>
> That also has instructions on how to configure additional file types to be
> handled by ASP.NET
>
> Cheers
> Ken
>
> "Ibrahim."
> news:685FA525-6671-42EB-A56F-8EC95C981626@microsoft.com...
> > Hi Ken,
> >
> > About your point # (a);
> >
> > Yes this is achieved. Permission are set. Having said that further the web
> > site uses forms authentication mode, that means username/password are
> > looked
> > up in a database. No windows authentication is done.
> >
> > About your point # (b)
> >
> > The system uses a authentication mechanishm through forms authentication.
> > Unauthroized access is prevented whenever Asp page are accessed, but when
> > a
> > document is accessed throught the URL directly then I need to authenticate
> > forceful browsing too?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > "Ken Schaefer" wrote:
> >
> >> You can either:
> >> a) use NTFS permissions. The user needs a valid username/password to read
> >> the file
> >>
> >> b) write your own authN mechanism. Store the PDFs outside the webroot (so
> >> they are not accessible directly). Instead you have an ASP.NET page (or
> >> ASP,
> >> or PHP, or whatever) that authenticates/authorizes the user. If the user
> >> is
> >> allowed to access the file, you read it off the disk (e.g. using the
> >> FileSystemObject) and stream it to the user
> >>
> >> Cheers
> >> Ken
> >>
> >> "Ibrahim."
> >> news:0FE76551-E317-4DCE-9B5F-3CA48FD7DA25@microsoft.com...
> >> > Hello Ken,
> >> >
> >> > The problem I'm facing is that I'm able to secure the directories but
> >> > not
> >> > the documents (*.pdf). This is basically a upload folder in virtual
> >> > directory
> >> > which has read/write permission set.
> >> >
> >> > If the attacker is aware of the file name, he can directly access the
> >> > file
> >> > without even loggin in to the sytem by specifying the path in the URL.
> >> >
> >> > I would appreciate if you can guide me in how to secure basic entities
> >> > that
> >> > are not supposed to be accessed by the outside world.
> >> >
> >> > Thanks in advance.
> >> >
> >> > Ibrahim.
> >> >
> >> >
> >> >
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> "Ibrahim."
> >> >> news:743AEC0F-7F55-4E6A-90C8-5F6C50BB4C27@microsoft.com...
> >> >> > Hello,
> >> >> >
> >> >> > following are my questions with regard to ASP.NET 2.0, II6.0 &
> >> >> > Win2003
> >> >> > server running a Internet Application.;
> >> >> >
> >> >> > 1. What is the difference between MIME types & ISAPI filter.
> >> >>
> >> >> A MIME type is a header that the server sends back to the client to
> >> >> tell
> >> >> the
> >> >> client (e.g. browser) what type of file is coming.
> >> >>
> >> >> ISAPI is an extensibility API for IIS, which allows you to write code
> >> >> that
> >> >> extends the functionality of IIS
> >> >>
> >> >>
> >> >> > 2. How can I restrict a file (*.pdf) from being accessed directly
> >> >> > from
> >> >> > the
> >> >> > URL through ISAPI filter.
> >> >>
> >> >> You need to write an ISAPI filter that does that. You can use
> >> >> something
> >> >> like
> >> >> URLScan (which is an ISAPI filter from Microsoft) to prevent direct
> >> >> requests
> >> >> for .pdf files.
> >> >>
> >> >>
> >> >> > 3. How can i secure directories & files in II6.0
> >> >>
> >> >> There are lots of ways. You need to tell us what "secure" means in
> >> >> your
> >> >> case.
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>