Table of Contents
Deny web access to a folder by adding a request filter to IIS7 web.config file
Stop IIS from serving direct access to certain folders
IIS 7 by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config, etc.
Open Internet Information Services Manager and select the website that you are interesting in denying web access to certain folders within that site. You can either add a properly configured web.config file to the website root, or add a web.config file within the particular sub-directory of the root, to block access to those directories / folders from web browsers.
Or you can use Request Filtering to Add a “Deny” list for each folder you want to restrict access, such as /data/, /_cgi-bin/, /admin/, etc. This deny sequence list can be configured in the web.config file within the root, or you can deny access by creating a properly scripted web.config file within the 'denied' sub-folder itself.
Directions to Deny Direct Access to Certain folders using Request Filtering
- In IIS 7 Manager, select the website under 'Sites“
- Click the 'Request Filtering' icon in the middle pane
- Select the '-url' Tab in the middle pane
- Click 'Deny Sequence' in the 'Actions' pane to the right side of the interface
- Now, Add the path of the first sub-folder between forward slashes, such as /data/
- Click the OK button to add that sub-folder to the Deny Sequence list in the 'url' Tab pane
- Repeat 'Deny Sequence' to create a list of all folders for which direct web browser access should be denied
- Switch from Features view by clicking the 'Content View' view at the bootm of the middle pane
- Click Ok to Save the these additions to the web.config file
- Test your web interface by trying to directly access any 'denied' folder in your url deny sequence list