How to Restrict Directory Access in IIS7 Using web.config: Block File Access with Authorization Rules


3 views

When working with IIS7+, developers often need to protect sensitive configuration files or directories from public web access. The web.config approach provides a convenient way to implement access restrictions without modifying server-wide settings.

Your initial approach was correct in principle, but needed additional configuration for IIS7's integrated pipeline. Here's the complete solution:

The missing section explains why your initial config failed. IIS7+ runs in two modes:

  • Classic mode: Uses only authorization
  • Integrated mode: Requires both and

1. Restricting Specific File Types

2. IP-Based Restrictions

When troubleshooting:

  1. Check application pool pipeline mode (Integrated vs Classic)
  2. Verify inheritance (use if needed)
  3. Examine IIS request filtering conflicts
  4. Review failed request tracing logs
  • Always test with different browsers (some cache 401 responses)
  • Combine with NTFS permissions for defense in depth
  • Consider using tags for precise path control
  • Document restrictions in web.config comments

When working with IIS7+, many developers need to prevent web access to sensitive directories containing configuration files, logs, or other private data. While the web.config approach seems straightforward, there are several layers of configuration that can affect its behavior.

For modern IIS installations (7+), you'll need a two-pronged approach:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
    <system.webServer>
        <handlers>
            <remove name="StaticFile" />
        </handlers>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment="protected-folder" />
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

The original configuration only handles ASP.NET pipeline requests. Many static files (like .txt, .config) are served directly by IIS's static file handler before reaching the ASP.NET authorization module. The solution above:

  1. Blocks all users via ASP.NET authorization
  2. Removes the static file handler override
  3. Adds request filtering as additional protection

To verify your setup:

1. Try accessing a test.txt file in the protected directory
2. Check IIS logs (%SystemDrive%\inetpub\logs\LogFiles)
3. Use Failed Request Tracing for detailed analysis:
   - In IIS Manager: Sites > Your Site > Failed Request Tracing Rules
   - Create rule for 401 or 404 status codes

For highly sensitive directories:

<location path="TopSecret" allowOverride="false">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>
  • Inherited configurations from parent folders
  • Handler mappings in applicationHost.config
  • Feature delegation settings in IIS Manager
  • NTFS permissions conflicting with web permissions