IIS 5 & IIS 6
File Type Restrictions in IIS
Last post Sep 11, 2019 06:17 AM by Jalpa Panchal
Sep 10, 2019 03:36 PM|gainera|LINK
My IIS knowledge is limited so I'm hoping someone can assist me with a task I've been assigned. One of our IIS based applications allows users to upload PDFs. This in itself is not an issue, however the problem we have is when a PDF is uploaded it shows
the URL path, if that user emails that path to someone else internally who is not logged into the application they can still view the PDF, which can contain sensitive data.
Is there any way within IIS to configure a rule to block other users from opening the PDF except for the user uploading it direct from the application?
Is it also possible to have a landing page so if anyone else tried to access a file i.e. PDF they got a message like
Forbidden - you have been blocked from performing this action.
I hope this all makes sense
Sep 11, 2019 06:17 AM|Jalpa Panchal|LINK
You could use <location> tag to restrict user for a specific folder or file.
below is code example to restrict user for a specific file:
<allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc
<deny users="*"/> // deny others
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
<deny users="*"/> // Deny rest of all
You could refer below article for more detailed information: