File Type Restrictions in IISRSS

1 reply

Last post Sep 11, 2019 06:17 AM by Jalpa Panchal

  • File Type Restrictions in IIS

    Sep 10, 2019 03:36 PM|gainera|LINK

    Hi All, 

    My IIS knowledge is limited so I'm hoping someone can assist me with a task I've been assigned. One of our IIS based applications allows users to upload PDFs. This in itself is not an issue, however the problem we have is when a PDF  is uploaded it shows the URL path, if that user emails that path to someone else internally who is not logged into the application they can still view the PDF, which can contain sensitive data. 

    Is there any way within IIS to configure a rule to block other users from opening the PDF except for the user uploading it direct from the application?

    Is it also possible to have a landing page so if anyone else tried to access a file i.e. PDF they got a message like Forbidden - you have been blocked from performing this action

    I hope this all makes sense

    Thanks

  • Re: File Type Restrictions in IIS

    Sep 11, 2019 06:17 AM|Jalpa Panchal|LINK

    Hi,

    You could use <location> tag to restrict user for a specific folder or file.

    below is code example to restrict user for a specific file:

    <location path="test.aspx"> 
    <system.web> 
    <authorization> 
    <allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc
    <deny users="*"/>  // deny others 
    </authorization>
    </system.web>
    </location>

    for folder:

    <location path="Foldername"> 
    <system.web>
    <authorization> 
    <allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
    <deny users="*"/> // Deny rest of all 
    </authorization>
    </system.web>
    </location>

    You could refer below article for more detailed information:

    https://docs.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization

    Regards,

    Jalpa

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.