Protecting Files/Folders, Deny Web Server, Allow PHP

We would like to provide an extra level of security for files and folders that we can’t move outside the web server document root. A common scenario with shared web hosting is that IIS or Apache and PHP run under the same user account. We can give this additional security by leveraging the difference effect that allow / deny directives have on the web server versus their effect on PHP. In short, we can direct the web server not to go there, while at the same time allow PHP.

IIS Authorization Rules

  • To allow/deny IIS, URL Authorization must be “turned on.” In IIS Manager->Connections select the server or a site, then ensure “Features View.” Is “Authorization Rules” in the feature list?
Screen shot of IIS Manager > Server > Features dialog box
Administration Tools > IIS Manger
  • If not turn it on in Control Panel->Programs and Features->Turn Windows features on or off … Please wait …IIS->WWW Services->Security-> check the box for “URL Authorization”
Screen shot of Windows Features dialog box
Control Panel > Programs & Features
  • click OK to turn on URL Authorization
  • Confirm in IIS Manager Authorization Rules are now available

Using IIS Manager handle editing the web.config for all folders-directories in the connections tree.

Example web.config Deny All access to a folder, IIS7.5

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Deny" users="*" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

Apache Access Control

Sorry, still not done.

Leave a comment

Your email address will not be published. Required fields are marked *

39 + = 49