How to password protect files and directories under Windows 2008/IIS 7.0
We have created a Password Protection application which works with .NET which you can use to secure files and folders under your Windows 2008/IIS 7.0 hosting account. This application will not run under Windows 2003 and IIS 6.
Disclaimer: This application has been tested with myhosting.com accounts using the Windows 2008/IIS 7.0/.NET 2.0 platform, and cannot be confirmed to work with any other hosting provider or any other hosting platform. Please note that this software should be used at your own risk. myhosting.com takes no responsibility for the use or misuse of the software. Further, myhosting.com takes no responsibility for any potential failure of the software resulting in the exposure of secured files or directories as a result of the software's use or misuse.
Download & Contents
To start, you will need to download the application. Once you have downloaded the .ZIP file, you will need to extract the contents to your computer. You should then see the following files and directories:
|
File or Directory Name |
Description |
||
|
users.xml |
|
|
This file should be uploaded to the root directory of your hosting account |
|
/wwwroot |
|
|
This directory already exists on your hosting account, all the other files and directories should be upload inside the wwwroot directory. |
|
|
login.aspx |
|
This file handles all the login requests for your secure area. |
|
|
web.config |
|
This file is used to enforce the security policy, and specifies which directories are secured and what users are allowed to access them. |
|
|
/admin |
|
This directory contains the password protection administration area. |
|
|
|
admin.aspx |
This is the administrator management file for the application. |
|
|
/secure |
|
This is the directory you can use for storing your secure files. |
|
|
|
Default.aspx |
The default document for your secure area. |
Next you will need to upload all the files and create all the directories on your site. Please make sure when uploading that you preserve the directory and file structure. This will ensure that the application functions as designed.
Please Note: If you already have a web.config file on your site, you will need to merge the contents of this file with the one which exists on your site already.
User Administration
Once everything is on your site, you should then open your browser and connect to http://your-site.com/admin/admin.aspx, replacing "your-site.com" with your actual domain name. You can then log in using:
Username: Admin
Password: changethis
Once you have logged in, you should see 2 existing users named Admin and User. The first thing you should do is to change the Admin password to one that is strong and unique. To do this, type the new password in the field provided and click on Hash Pass. Copy the text that it displays, and Edit the Admin user to change the password.
There is also a test user named User which you can use to experiment with.
Username: User
Password: keepitsecret
It is recommended that you either delete this user or change the password before you start using the application to secure files and directories. In addition, you can create as many other users as you need.
Securing Files and Folders
By default, the directories named secure and admin are the only directories that are protected. The admin directory is set to allow only the Admin user to login. Since this is where all users are configured, this was added as an extra level of security. The secure directory allows all authenticated users to log in, while not allowing anonymous or unauthenticated users access. You can place any files or directories under the secure directory and they will automatically be password protected.
If you want to change the name of the secured directory, add new secured directories or edit who is allowed to access which directories, you will need to edit the web.config file. Once you open the file, you'll see an entry like this:
<location path="secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If you want to secure another directory, you can create a similar entry and change the value of the location path.
Allow and Deny Users
- IMPORTANT: At the very least, for a directory to be secured you must deny access to anonymous or unauthenticated users (using a ?) as follows:
<deny users="?"/>
- If you want to allow only certain users to access the directory and deny everyone else, you can configure it as follows to deny all users (using a *) and then allow only specific exceptions in the allow users section. In this example, all users are prevented from logging in except username1 and username2:
<allow users="username1,username2"/>
<deny users="*"/>
- If you want to deny all users, you can use * as a wildcard in the deny users or section.
- You should not use the * or ? wildcards in the allow users section, as it will allow access to all users and all anonymous/unauthenticated users.
IMPORTANT: The allow users section is optional, but it is highly recommended that a deny users section is always used. If you do not include a deny users section, all visitors to your site will be able to access the directory. Therefore you should never remove the deny users section.