Install Config Wiki

All about installing, configuring and troubleshooting

User Tools

Site Tools


Sidebar

Wiki Topics

wiki:deny_web_access_to_a_folder_by_adding_a_request_filter_to_iis_web.config

Deny web access to a folder by adding a request filter to IIS7 web.config file

Stop IIS from serving direct access to certain folders

IIS 7 by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config, etc.

Open Internet Information Services Manager and select the website that you are interesting in denying web access to certain folders within that site. You can either add a properly configured web.config file to the website root, or add a web.config file within the particular sub-directory of the root, to block access to those directories / folders from web browsers.

Or you can use Request Filtering to Add a “Deny” list for each folder you want to restrict access, such as /data/, /_cgi-bin/, /admin/, etc. This deny sequence list can be configured in the web.config file within the root, or you can deny access by creating a properly scripted web.config file within the 'denied' sub-folder itself.

Directions to Deny Direct Access to Certain folders using Request Filtering

  1. In IIS 7 Manager, select the website under 'Sites“
  2. Click the 'Request Filtering' icon in the middle pane
  3. Select the '-url' Tab in the middle pane
  4. Click 'Deny Sequence' in the 'Actions' pane to the right side of the interface
  5. Now, Add the path of the first sub-folder between forward slashes, such as /data/
  6. Click the OK button to add that sub-folder to the Deny Sequence list in the 'url' Tab pane
  7. Repeat 'Deny Sequence' to create a list of all folders for which direct web browser access should be denied
  8. Switch from Features view by clicking the 'Content View' view at the bootm of the middle pane
  9. Click Ok to Save the these additions to the web.config file
  10. Test your web interface by trying to directly access any 'denied' folder in your url deny sequence list
wiki/deny_web_access_to_a_folder_by_adding_a_request_filter_to_iis_web.config.txt · Last modified: 2017/11/15 21:19 (external edit)