file extensions and IIS
am 01.11.2007 23:20:31 von Zester
Hi,
I'm wondering which file extensions are treated as "exposed" and which are
"hidden" by the IIS? I was told that the .bak file is exposed so external
users can actually browse and see content of files with .bak extension but I
couldn't reproduce it. Thanks for your advice and pointers.
Re: file extensions and IIS
am 02.11.2007 06:32:13 von David Wang
On Nov 1, 3:20 pm, "Zester" wrote:
> Hi,
>
> I'm wondering which file extensions are treated as "exposed" and which are
> "hidden" by the IIS? I was told that the .bak file is exposed so external
> users can actually browse and see content of files with .bak extension but I
> couldn't reproduce it. Thanks for your advice and pointers.
IIS does not treat file extensions as "hidden" or "exposed".
So, the behavior of .bak file that you describe does not exist, and I
don't really know what you are trying to reproduce.
What IIS *does* do is route all requests by file extension to be
"handled" (i.e. processed) by something. That something is called a
"handler", and the handler decides what to do with the resource.
It sounds like you want to make a directory browseable and .bak files
downloadable, which means you want to enable Directory Browsing for a
directory and set a MIME Type for the .bak extension to enable its
contents to be browsed and seen by a browsing user.
Please search for documentation on "Directory Browsing" and "MIME
Type" on how to accomplish them. If they are not what you want, please
describe further what behavior you want.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: file extensions and IIS
am 02.11.2007 17:31:23 von Zester
No, that wasn't what I was looking for. I'm concerned about the security
risk of exposing content of files that we didn't intend to. The .bak file
might be a web.config.bak that contains some sensitive info; I don't want
users to have access to it.
"David Wang" wrote in message
news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
> On Nov 1, 3:20 pm, "Zester" wrote:
>> Hi,
>>
>> I'm wondering which file extensions are treated as "exposed" and which
>> are
>> "hidden" by the IIS? I was told that the .bak file is exposed so external
>> users can actually browse and see content of files with .bak extension
>> but I
>> couldn't reproduce it. Thanks for your advice and pointers.
>
>
>
> IIS does not treat file extensions as "hidden" or "exposed".
>
> So, the behavior of .bak file that you describe does not exist, and I
> don't really know what you are trying to reproduce.
>
> What IIS *does* do is route all requests by file extension to be
> "handled" (i.e. processed) by something. That something is called a
> "handler", and the handler decides what to do with the resource.
>
> It sounds like you want to make a directory browseable and .bak files
> downloadable, which means you want to enable Directory Browsing for a
> directory and set a MIME Type for the .bak extension to enable its
> contents to be browsed and seen by a browsing user.
>
> Please search for documentation on "Directory Browsing" and "MIME
> Type" on how to accomplish them. If they are not what you want, please
> describe further what behavior you want.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
Re: file extensions and IIS
am 03.11.2007 03:53:30 von David Wang
Ok, I see.
The behavior of IIS completely depends on its configuration, and it
can be configured to do what you say, or not what you want. There is
no feature which says "hide or expose resources by extension".
However, it is possible to hide or expose resources by extension with
a combination of configuration.
Thus, one needs to know the IIS version, the MIME Type, and
Application Mapping configuration which applies to the URL in
question.
Prior to IIS6, default configuration would allow .bak to be
downloaded, while IIS6 and later would not allow .bak to be
downloaded. And of course, there are many ways to configure IIS to do
the opposite of its defaults.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Nov 2, 9:31 am, "Zester" wrote:
> No, that wasn't what I was looking for. I'm concerned about the security
> risk of exposing content of files that we didn't intend to. The .bak file
> might be a web.config.bak that contains some sensitive info; I don't want
> users to have access to it.
>
> "David Wang" wrote in message
>
> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>
>
>
> > On Nov 1, 3:20 pm, "Zester" wrote:
> >> Hi,
>
> >> I'm wondering which file extensions are treated as "exposed" and which
> >> are
> >> "hidden" by the IIS? I was told that the .bak file is exposed so external
> >> users can actually browse and see content of files with .bak extension
> >> but I
> >> couldn't reproduce it. Thanks for your advice and pointers.
>
> > IIS does not treat file extensions as "hidden" or "exposed".
>
> > So, the behavior of .bak file that you describe does not exist, and I
> > don't really know what you are trying to reproduce.
>
> > What IIS *does* do is route all requests by file extension to be
> > "handled" (i.e. processed) by something. That something is called a
> > "handler", and the handler decides what to do with the resource.
>
> > It sounds like you want to make a directory browseable and .bak files
> > downloadable, which means you want to enable Directory Browsing for a
> > directory and set a MIME Type for the .bak extension to enable its
> > contents to be browsed and seen by a browsing user.
>
> > Please search for documentation on "Directory Browsing" and "MIME
> > Type" on how to accomplish them. If they are not what you want, please
> > describe further what behavior you want.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -
Re: file extensions and IIS
am 05.11.2007 19:38:13 von Zester
Is there a way to audit which files are allowed to be downloaded by default
configuration? I looked into IIS5 Application Configuration dialog and
didn't see .bak to be in the mapping for the website but it was allowed to
be downloaded as you pointed out. IIS6 doesn't have the entry either but
it's not allowed to be downloaded. Sounds like the default configuration is
hidden.
Also, would you know a documentation that walks me through how to block .bak
from being downloaded in IIS5? Thanks!
"David Wang" wrote in message
news:1194058410.973691.294860@e9g2000prf.googlegroups.com...
> Ok, I see.
>
> The behavior of IIS completely depends on its configuration, and it
> can be configured to do what you say, or not what you want. There is
> no feature which says "hide or expose resources by extension".
> However, it is possible to hide or expose resources by extension with
> a combination of configuration.
>
> Thus, one needs to know the IIS version, the MIME Type, and
> Application Mapping configuration which applies to the URL in
> question.
>
> Prior to IIS6, default configuration would allow .bak to be
> downloaded, while IIS6 and later would not allow .bak to be
> downloaded. And of course, there are many ways to configure IIS to do
> the opposite of its defaults.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
>
>
> On Nov 2, 9:31 am, "Zester" wrote:
>> No, that wasn't what I was looking for. I'm concerned about the security
>> risk of exposing content of files that we didn't intend to. The .bak file
>> might be a web.config.bak that contains some sensitive info; I don't want
>> users to have access to it.
>>
>> "David Wang" wrote in message
>>
>> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>>
>>
>>
>> > On Nov 1, 3:20 pm, "Zester" wrote:
>> >> Hi,
>>
>> >> I'm wondering which file extensions are treated as "exposed" and which
>> >> are
>> >> "hidden" by the IIS? I was told that the .bak file is exposed so
>> >> external
>> >> users can actually browse and see content of files with .bak extension
>> >> but I
>> >> couldn't reproduce it. Thanks for your advice and pointers.
>>
>> > IIS does not treat file extensions as "hidden" or "exposed".
>>
>> > So, the behavior of .bak file that you describe does not exist, and I
>> > don't really know what you are trying to reproduce.
>>
>> > What IIS *does* do is route all requests by file extension to be
>> > "handled" (i.e. processed) by something. That something is called a
>> > "handler", and the handler decides what to do with the resource.
>>
>> > It sounds like you want to make a directory browseable and .bak files
>> > downloadable, which means you want to enable Directory Browsing for a
>> > directory and set a MIME Type for the .bak extension to enable its
>> > contents to be browsed and seen by a browsing user.
>>
>> > Please search for documentation on "Directory Browsing" and "MIME
>> > Type" on how to accomplish them. If they are not what you want, please
>> > describe further what behavior you want.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //- Hide quoted text -
>>
>> - Show quoted text -
>
>
Re: file extensions and IIS
am 08.11.2007 01:34:21 von Zester
I'm taking the no response as there is no way to perform the audit [sigh]
This is how a security hole can become a big nasty hole because it gives
users a false sense of security. Who knows which sensitive files out there
are being exposed to hackers because of the lack of this audit feature!
"Zester" wrote in message
news:%23wBYHs9HIHA.3400@TK2MSFTNGP03.phx.gbl...
> Is there a way to audit which files are allowed to be downloaded by
> default configuration? I looked into IIS5 Application Configuration dialog
> and didn't see .bak to be in the mapping for the website but it was
> allowed to be downloaded as you pointed out. IIS6 doesn't have the entry
> either but it's not allowed to be downloaded. Sounds like the default
> configuration is hidden.
>
> Also, would you know a documentation that walks me through how to block
> .bak from being downloaded in IIS5? Thanks!
>
>
>
> "David Wang" wrote in message
> news:1194058410.973691.294860@e9g2000prf.googlegroups.com...
>> Ok, I see.
>>
>> The behavior of IIS completely depends on its configuration, and it
>> can be configured to do what you say, or not what you want. There is
>> no feature which says "hide or expose resources by extension".
>> However, it is possible to hide or expose resources by extension with
>> a combination of configuration.
>>
>> Thus, one needs to know the IIS version, the MIME Type, and
>> Application Mapping configuration which applies to the URL in
>> question.
>>
>> Prior to IIS6, default configuration would allow .bak to be
>> downloaded, while IIS6 and later would not allow .bak to be
>> downloaded. And of course, there are many ways to configure IIS to do
>> the opposite of its defaults.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>>
>>
>>
>>
>>
>> On Nov 2, 9:31 am, "Zester" wrote:
>>> No, that wasn't what I was looking for. I'm concerned about the security
>>> risk of exposing content of files that we didn't intend to. The .bak
>>> file
>>> might be a web.config.bak that contains some sensitive info; I don't
>>> want
>>> users to have access to it.
>>>
>>> "David Wang" wrote in message
>>>
>>> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>>>
>>>
>>>
>>> > On Nov 1, 3:20 pm, "Zester" wrote:
>>> >> Hi,
>>>
>>> >> I'm wondering which file extensions are treated as "exposed" and
>>> >> which
>>> >> are
>>> >> "hidden" by the IIS? I was told that the .bak file is exposed so
>>> >> external
>>> >> users can actually browse and see content of files with .bak
>>> >> extension
>>> >> but I
>>> >> couldn't reproduce it. Thanks for your advice and pointers.
>>>
>>> > IIS does not treat file extensions as "hidden" or "exposed".
>>>
>>> > So, the behavior of .bak file that you describe does not exist, and I
>>> > don't really know what you are trying to reproduce.
>>>
>>> > What IIS *does* do is route all requests by file extension to be
>>> > "handled" (i.e. processed) by something. That something is called a
>>> > "handler", and the handler decides what to do with the resource.
>>>
>>> > It sounds like you want to make a directory browseable and .bak files
>>> > downloadable, which means you want to enable Directory Browsing for a
>>> > directory and set a MIME Type for the .bak extension to enable its
>>> > contents to be browsed and seen by a browsing user.
>>>
>>> > Please search for documentation on "Directory Browsing" and "MIME
>>> > Type" on how to accomplish them. If they are not what you want, please
>>> > describe further what behavior you want.
>>>
>>> > //David
>>> >http://w3-4u.blogspot.com
>>> >http://blogs.msdn.com/David.Wang
>>> > //- Hide quoted text -
>>>
>>> - Show quoted text -
>>
>>
>
>