On Nov 1, 3:20 pm, "Zester" <z...@nottospam.com> wrote:
> Hi,
>
> I'm wondering which file extensions are treated as "exposed" and which are
> "hidden" by the IIS? I was told that the .bak file is exposed so external
> users can actually browse and see content of files with .bak extension but I
> couldn't reproduce it. Thanks for your advice and pointers.

"David Wang" <w3.4you@gmail.com> wrote in message
news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
> On Nov 1, 3:20 pm, "Zester" <z...@nottospam.com> wrote:
>> Hi,
>>
>> I'm wondering which file extensions are treated as "exposed" and which
>> are
>> "hidden" by the IIS? I was told that the .bak file is exposed so external
>> users can actually browse and see content of files with .bak extension
>> but I
>> couldn't reproduce it. Thanks for your advice and pointers.
>
>
>
> IIS does not treat file extensions as "hidden" or "exposed".
>
> So, the behavior of .bak file that you describe does not exist, and I
> don't really know what you are trying to reproduce.
>
> What IIS *does* do is route all requests by file extension to be
> "handled" (i.e. processed) by something. That something is called a
> "handler", and the handler decides what to do with the resource.
>
> It sounds like you want to make a directory browseable and .bak files
> downloadable, which means you want to enable Directory Browsing for a
> directory and set a MIME Type for the .bak extension to enable its
> contents to be browsed and seen by a browsing user.
>
> Please search for documentation on "Directory Browsing" and "MIME
> Type" on how to accomplish them. If they are not what you want, please
> describe further what behavior you want.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

On Nov 2, 9:31 am, "Zester" <z...@nottospam.com> wrote:
> No, that wasn't what I was looking for. I'm concerned about the security
> risk of exposing content of files that we didn't intend to. The .bak file
> might be a web.config.bak that contains some sensitive info; I don't want
> users to have access to it.
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>
>
>
> > On Nov 1, 3:20 pm, "Zester" <z...@nottospam.com> wrote:
> >> Hi,
>
> >> I'm wondering which file extensions are treated as "exposed" and which
> >> are
> >> "hidden" by the IIS? I was told that the .bak file is exposed so external
> >> users can actually browse and see content of files with .bak extension
> >> but I
> >> couldn't reproduce it. Thanks for your advice and pointers.
>
> > IIS does not treat file extensions as "hidden" or "exposed".
>
> > So, the behavior of .bak file that you describe does not exist, and I
> > don't really know what you are trying to reproduce.
>
> > What IIS *does* do is route all requests by file extension to be
> > "handled" (i.e. processed) by something. That something is called a
> > "handler", and the handler decides what to do with the resource.
>
> > It sounds like you want to make a directory browseable and .bak files
> > downloadable, which means you want to enable Directory Browsing for a
> > directory and set a MIME Type for the .bak extension to enable its
> > contents to be browsed and seen by a browsing user.
>
> > Please search for documentation on "Directory Browsing" and "MIME
> > Type" on how to accomplish them. If they are not what you want, please
> > describe further what behavior you want.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

"David Wang" <w3.4you@gmail.com> wrote in message
news:1194058410.973691.294860@e9g2000prf.googlegroups.com...
> Ok, I see.
>
> The behavior of IIS completely depends on its configuration, and it
> can be configured to do what you say, or not what you want. There is
> no feature which says "hide or expose resources by extension".
> However, it is possible to hide or expose resources by extension with
> a combination of configuration.
>
> Thus, one needs to know the IIS version, the MIME Type, and
> Application Mapping configuration which applies to the URL in
> question.
>
> Prior to IIS6, default configuration would allow .bak to be
> downloaded, while IIS6 and later would not allow .bak to be
> downloaded. And of course, there are many ways to configure IIS to do
> the opposite of its defaults.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
>
>
> On Nov 2, 9:31 am, "Zester" <z...@nottospam.com> wrote:
>> No, that wasn't what I was looking for. I'm concerned about the security
>> risk of exposing content of files that we didn't intend to. The .bak file
>> might be a web.config.bak that contains some sensitive info; I don't want
>> users to have access to it.
>>
>> "David Wang" <w3.4...@gmail.com> wrote in message
>>
>> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>>
>>
>>
>> > On Nov 1, 3:20 pm, "Zester" <z...@nottospam.com> wrote:
>> >> Hi,
>>
>> >> I'm wondering which file extensions are treated as "exposed" and which
>> >> are
>> >> "hidden" by the IIS? I was told that the .bak file is exposed so
>> >> external
>> >> users can actually browse and see content of files with .bak extension
>> >> but I
>> >> couldn't reproduce it. Thanks for your advice and pointers.
>>
>> > IIS does not treat file extensions as "hidden" or "exposed".
>>
>> > So, the behavior of .bak file that you describe does not exist, and I
>> > don't really know what you are trying to reproduce.
>>
>> > What IIS *does* do is route all requests by file extension to be
>> > "handled" (i.e. processed) by something. That something is called a
>> > "handler", and the handler decides what to do with the resource.
>>
>> > It sounds like you want to make a directory browseable and .bak files
>> > downloadable, which means you want to enable Directory Browsing for a
>> > directory and set a MIME Type for the .bak extension to enable its
>> > contents to be browsed and seen by a browsing user.
>>
>> > Please search for documentation on "Directory Browsing" and "MIME
>> > Type" on how to accomplish them. If they are not what you want, please
>> > describe further what behavior you want.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //- Hide quoted text -
>>
>> - Show quoted text -
>
>

"Zester" <zeze@nottospam.com> wrote in message
news:%23wBYHs9HIHA.3400@TK2MSFTNGP03.phx.gbl...
> Is there a way to audit which files are allowed to be downloaded by
> default configuration? I looked into IIS5 Application Configuration dialog
> and didn't see .bak to be in the mapping for the website but it was
> allowed to be downloaded as you pointed out. IIS6 doesn't have the entry
> either but it's not allowed to be downloaded. Sounds like the default
> configuration is hidden.
>
> Also, would you know a documentation that walks me through how to block
> .bak from being downloaded in IIS5? Thanks!
>
>
>
> "David Wang" <w3.4you@gmail.com> wrote in message
> news:1194058410.973691.294860@e9g2000prf.googlegroups.com...
>> Ok, I see.
>>
>> The behavior of IIS completely depends on its configuration, and it
>> can be configured to do what you say, or not what you want. There is
>> no feature which says "hide or expose resources by extension".
>> However, it is possible to hide or expose resources by extension with
>> a combination of configuration.
>>
>> Thus, one needs to know the IIS version, the MIME Type, and
>> Application Mapping configuration which applies to the URL in
>> question.
>>
>> Prior to IIS6, default configuration would allow .bak to be
>> downloaded, while IIS6 and later would not allow .bak to be
>> downloaded. And of course, there are many ways to configure IIS to do
>> the opposite of its defaults.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>>
>>
>>
>>
>>
>> On Nov 2, 9:31 am, "Zester" <z...@nottospam.com> wrote:
>>> No, that wasn't what I was looking for. I'm concerned about the security
>>> risk of exposing content of files that we didn't intend to. The .bak
>>> file
>>> might be a web.config.bak that contains some sensitive info; I don't
>>> want
>>> users to have access to it.
>>>
>>> "David Wang" <w3.4...@gmail.com> wrote in message
>>>
>>> news:1193981533.581025.25860@q3g2000prf.googlegroups.com...
>>>
>>>
>>>
>>> > On Nov 1, 3:20 pm, "Zester" <z...@nottospam.com> wrote:
>>> >> Hi,
>>>
>>> >> I'm wondering which file extensions are treated as "exposed" and
>>> >> which
>>> >> are
>>> >> "hidden" by the IIS? I was told that the .bak file is exposed so
>>> >> external
>>> >> users can actually browse and see content of files with .bak
>>> >> extension
>>> >> but I
>>> >> couldn't reproduce it. Thanks for your advice and pointers.
>>>
>>> > IIS does not treat file extensions as "hidden" or "exposed".
>>>
>>> > So, the behavior of .bak file that you describe does not exist, and I
>>> > don't really know what you are trying to reproduce.
>>>
>>> > What IIS *does* do is route all requests by file extension to be
>>> > "handled" (i.e. processed) by something. That something is called a
>>> > "handler", and the handler decides what to do with the resource.
>>>
>>> > It sounds like you want to make a directory browseable and .bak files
>>> > downloadable, which means you want to enable Directory Browsing for a
>>> > directory and set a MIME Type for the .bak extension to enable its
>>> > contents to be browsed and seen by a browsing user.
>>>
>>> > Please search for documentation on "Directory Browsing" and "MIME
>>> > Type" on how to accomplish them. If they are not what you want, please
>>> > describe further what behavior you want.
>>>
>>> > //David
>>> >http://w3-4u.blogspot.com
>>> >http://blogs.msdn.com/David.Wang
>>> > //- Hide quoted text -
>>>
>>> - Show quoted text -
>>
>>
>
>