I have a website where users upload files through a CMS.
eg http://www.mysite.com/uploadedfiles/file1.txt
I want to stop users on the internet being able to enter this URL into a browser and access these files directly. How can I do this?
I still need to allow IIS to read, modify and delete these files through the CMS though.
I would recommend either saving the files to a non-web-accessible directory, or creating a random name before saving to disk.
How about configuring the site to accept connections only from the ip address of the CMS?
Go in "request filtering" and disallow the specific URL (in the "URL" tab).
In order to make this secure, you'll have to implement it in your application in a different way.
Save the uploaded files in a folder that isn't accessible through a web request, for example in a external folder
D:\WebData\MyApp\Uploads. Make sure that the Network Service account has "modify" access on this directory (for your CMS app).Then, implement a HTTP handler in ASP.NET that checks the Session of the CMS user and allow them to only download/modify/access their own files.
go to Authorization Rules then add a Deny Rule for all users on the desired folder.