如何从 iis7 中的 web 停止 web 站点目录外部文件访问

Question

I have a windows server 2008. i'm adding few web site using IIS7. But all web can access outside file. for example:

@{ DirectoryInfo di=new DirectoryInfo("c:\\");}
@foreach (var item in di.GetFiles())
{
    <div>@item.FullName</div>
}

This code enumerate files successfully. I need to configure can't access outside web site directory. Only use inside files and folder

How to do that?

Answer 1

You could create a new user that has limited permissions and set to run app pool under this user.

To change Identity of an AppPool (ie Specify what credentials the App Pool is running as)

1. Open IIS
2. Select Application Pools in the Connections tree
3. Select the Application Pool
4. Right Click and select Advance Settings.
5. Find Process Model / Identity. The default may read ApplicationPoolIdentity
6. Click to the value (eg ApplicationPoolIdentity)
7. Click the ellipsis that appears to the right
8. Select a built in account or click custom account
9. If Custom account was chosen, click Set and specify the Windows account and password
10. Click OK to close the Set Credentials dialog
11. Click OK to close the Application Pool Identity dialog
12. Click OK to close the Advanced Settings dialog.
13. Recycle the Application Pool.

You can also set identity in the web.config file:

<system.web>
  <identity impersonate="true"
            userName="UserName"
            password="Password"/>
</system.web>

Answer 2

the code you are showing does not mean that external individuals can access files on your server, all that it shows is that a program RUNNING on your server can access files on the server which make sense.

If you want to prevent a program from accessing those files then add security permissions to them for a user that is not the user that runs the program you want to prevent from accessing them.

If you are looking to secure a directory look at using .htaccess (very basic security) or take into account Alex's solution