How to Securely Hide a Directory of Text Files in IIS: Preventing Unauthorized Access and Directory Listing


2 views

When trying to hide a directory of text files in IIS, many developers first attempt using the traditional ASP.NET authorization method in web.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authorization>
            <deny users="*" /> <!-- Denies all users -->
        </authorization>
    </system.web>
</configuration>

This approach fails because:

  • It only works for ASP.NET managed content
  • Static files (like .txt) bypass ASP.NET authorization
  • Directory browsing settings are controlled at server level

To properly secure your text files directory, you need a multi-layered approach:

1. Disable Directory Listing

<configuration>
    <system.webServer>
        <directoryBrowse enabled="false" />
    </system.webServer>
</configuration>

2. Add Request Filtering

<system.webServer>
    <security>
        <requestFiltering>
            <hiddenSegments>
                <add segment="your_directory_name" />
            </hiddenSegments>
        </requestFiltering>
    </security>
</system.webServer>

3. Implement URL Authorization (IIS 7+)

<system.webServer>
    <security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Deny" users="?" /> <!-- Deny anonymous -->
            <add accessType="Allow" users="DOMAIN\username" />
        </authorization>
    </security>
</system.webServer>

Using a Deny Rule in web.config

<system.webServer>
    <rewrite>
        <rules>
            <rule name="BlockTextFiles" stopProcessing="true">
                <match url=".*\.txt$" />
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

Moving Files Outside Web Root

The most secure approach is to store sensitive files outside the web root and serve them through a handler:

protected void Page_Load(object sender, EventArgs e)
{
    string filePath = Server.MapPath("~/App_Data/secure_files/" + Request.QueryString["file"]);
    if (File.Exists(filePath))
    {
        Response.ContentType = "text/plain";
        Response.WriteFile(filePath);
        Response.End();
    }
    else
    {
        Response.StatusCode = 404;
    }
}

After implementation, test with:

  • Direct URL access attempts
  • Directory browsing attempts
  • Different authentication states

Remember to restart IIS or the application pool after making configuration changes.

The web.config authorization settings you've tried only control who can access the content, not whether the content is exposed. When you deny all users but don't disable directory browsing, IIS will still show the directory structure to unauthenticated users.

Here's a comprehensive web.config setup that achieves three security objectives simultaneously:

This configuration combines multiple IIS security features:

  • Authorization: Blocks all users (as you already had)
  • Directory Browsing: Disables the directory listing entirely
  • Request Filtering: Makes the directory "officially" hidden in IIS

For more granular control, consider using URL Rewrite to block access:

Always test your security measures:

  1. Try accessing the directory directly in browser
  2. Attempt to access a known file in the directory
  3. Check server logs for 403 responses
  4. Verify no directory listing appears even with exact URL

If you need to allow certain IPs while blocking others: