This step-by-step article describes how to add additional
file types to an ASP.NET application to protect certain file types. By default,
ASP.NET is configured to intercept and to stop requests for several different
file types that are used in ASP.NET applications. These file types are ones
that must not be retrieved by users. These file types include .config files
that store configuration information for the application and .cs files that
store the source code of the application. ASP.NET ensures the privacy of these
files by associating both file types with System.Web.HttpForbiddenHandler.
System.Web.HttpForbiddenHandler returns an error to the user who requests the
file. This method of protecting files can be used for any file type. This
method is useful for protecting files that exist in the folder of the Web
application and must never be retrieved by users.
Edit Script Mappings in Internet Services Manager
Microsoft Internet Information Services (IIS) 5.0 determines how
to handle requests based on the script mapping for the file name extension of
the request. These script mappings are adjusted by using Internet Services
Manager. For ASP.NET to block file types, you must first configure IIS 5.0 to
forward those requests to ASP.NET. To do this, follow these steps:
- On the taskbar click start, point to
Settings, and then click Control
- Double-click to open the Administrative
Tools folder and then double-click to run Internet Services
- Right-click the virtual server or the virtual folder that
contain your ASP.NET application and then click
- Select the Home Directory or the
Directory tab. If an application has not been created for the
virtual folder, click Create under Application
- Under Application Settings, click
- To identify the location of the Aspnet_isapi.dll file that
handles the ASP.NET requests, select the .aspx application
mapping and then click Edit.
- The Add/Edit Application Extension Mapping
dialog box appears. Select the text in the Executable field
and then press CTRL+C to copy the text to your Clipboard.
- Click Cancel to return to the
Application Configuration dialog box.
- Now, add application mappings for each extension that you
want ASP.NET to block. To do this, click Add. Then, in the
Executable field, press CTRL+V to paste the path of your
- In the Verbs section, select the
All Verbs option. Verify that the Script
Engine check box is selected and that the Check If File
Exists check box is not selected.
- Click OK.
- Repeat this procedure for every file name extension that
you want to have processed by ASP.NET.
Configure a File Type That You Want Blocked
To block additional file types for an ASP.NET application, follow
- Open the Web.config file in a text editor such as Notepad.
The Web.config file is located in the root directory of your Web
- In the Web.config file add the <httpHandlers> configuration element under the <system.web> element.
Note You must not copy the <httpHandlers> element from the Machine.config file. The reason you must not
copy the <httpHandlers> element is because the <httpHandlers> element permits you to add additional file types without
completely overriding the Machine.config settings.
- In the <httpHandlers> element, use <add> sub tags to specify additional file types that you want blocked.
Set the verb attribute equal to “*”. When you do this, you specify that all
types of HTTP requests are blocked. Define the path attribute as a wildcard character that matches the types of files
you want to block. For example, you may specify “*.mdb”. Finally, set the type attribute to “System.Web.HttpForbiddenHandler". The code sample that follows shows how to configure the
"httpHandlers" section in the Web.config file:
<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.private" type="System.Web.HttpForbiddenHandler" />
- Save the Web.config file. The ASP.NET application
For additional information, click the following article
numbers to view the articles in the Microsoft Knowledge Base:
HOW TO: Secure an ASP.NET Application by Using Windows Security
HOW TO: Secure
an ASP.NET Application Using Client-Side Certificates
HOW TO: Secure Applications That Are Built on the .NET Framework