How do I deny access to .dll files in a web site (on both IIS 6 and 7)

Question

If I use an URL like http://mysite/myfolder/myfile.dll, I get a dialog "Do you want to open or save this file". Of course, I don't want people to be able to download and disassembly our dll's. How can I deny people accessing such files directly ?

Answer 1

Denying all dll's is drastic in an asp.net site, as Silverlight etc use client dll's that need to be available for download by the client browser.

You could use IIS Management Console or Management API's to disable authentication on the dll's file or directory.

Simply uncheck all authentication options and access will be denied.

Answer 2

Usually this is disallowed by default. If you go into the IIS manager and edit the website, you need to uncheck 'script source access.' DLL should also be on the list of forbidden file extensions.

Answer 3

The short answer is that there should be no files which you don't want to serve underneath the web root.

I don't personally know IIS 6 or 7, but under Apache, a directory is designated as the web root, e.g. \site\htdocs, and nothing above it is accessible to the outside. If you keep your DLL files out of that hierarchy, then they are inaccessible.

Answer 4

Set appropriate windows file security and access rights.

E.g. when you are using asp.net you should deny access to the .dll for all users except the ASPNET account.

!The IUSR_xxx account should have no rights to your .dll!

Answer 5

If for some reason script mappings in IIS cannot be changed, HttpForbiddenHandler can be used