Securing No-Touch Deployment

[Guest]

I need to deploy a no-touch app. There seems to be conflicting information about how IIS needs to be configured to handle this. One issue is the config file associated with the app. I've read that I need to remove the .config entry from my App Mappings in IIS, yet, it seems I can get and see the config file regardless of whether or not I remove this entry. I'm using the default settings of IIS 5.0. So my first question is, "Do I need to remove the .config entry from my App Mappings for the Virtual that I set up to deploy my app?

The second question relates to how to secure the Auto Deploy directory in IIS. I've read that I need to have Anonymous Access checked in order for the .config file to be deployed. Is this true? It seems I can't use Windows Authentication by itself. If that's the case, how can I secure access to the site? Thank you.

 

[Guest]

I just asked a similar question yesterday, i got my no touch working with app.config files but i had to enable anonymous access for that file. I also had to remove the .config file mapping by converting the virtual dir to an application dir

I used a network sniffer and the IIS logs to find out what was happenning. IE asks for the file 3 times in my setup. The first time it provides credentials with its request but fails to do so on the 2 other requests which is why it requires anonymous access enabled. This is what i found by fiddling around

So i don't have any solution for now but i understand better what's going on

 

[Guest]

See this (http://www.ondotnet.com/lpt/a/3154) regarding the "tweak" you mention, which amounts to putting a Web.config fil in your NTD directory to allow .config files but not allow web.config files.

My problem is I can't seem to prevent the config file from being downloaded. I've got the .config entry in my App Mappings and it still is viewable in a browser. I'm missing something or have something not so obvious configured incorrectly.

Regarding security, is client certificates the only way to secure access to a NTD site? Would Digest work? Neither are very nice options though.

 

[Guest]

----- Norm Dotti wrote: ----

See this (http://www.ondotnet.com/lpt/a/3154) regarding the "tweak" you mention, which amounts to putting a Web.config fil in your NTD directory to allow .config files but not allow web.config files.

I came across this page before but didn't use the info. My NTD dir is dedicated to NTD, no web apps in that dir currently. Thanks for the link

My problem is I can't seem to prevent the config file from being downloaded. I've got the .config entry in my App Mappings and it still is viewable in a browser. I'm missing something or have something not so obvious configured incorrectly.

You're talking about the web.config file here, right? Maybe check which verbs are allowed on the web.config file..

Regarding security, is client certificates the only way to secure access to a NTD site? Would Digest work? Neither are very nice options though.

My plan was originally to protect all the files using windows authentication. Now everything is still under windows authentication except for my app.config files. I changed the Authentication to Anonymous for those files only, i had to do that for one file at a time, which isn't great..

 

[Ying-Shen Yu[MSFT]]

Hi,

"Do I need to remove the .config entry from my App Mappings for the Virtual
that I set up to deploy my app?"

In default .NET Framework configuartion, all .config files are handled by
ASP.NET using the System.Web.HttpForbiddenHandler, which return 403
immediately. in your scneario that could not prevent .exe.config from
downloading, I suggest you checking the web.config and machine.config if
you had added some special handlers for the .exe.config or .dll.config
file? for example, I added
<add verb="GET,HEAD" path="*.exe.config"
type="System.Web.StaticFileHandler"/>
in my machine.config so that the .exe.config file is allowed to download
while other *.config file are still fobidden.

I'm not sure if the anonymous access right is required on the .exe.config
file, I'll try to find someone to confirm it and update this thread later.
If you have anything unclear about my reply, pelase feel free to reply this
thread.
Thanks!

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Community Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, please remove the word "online"
before sending mail.

 

[Guest]

I'd really like if someone can confirm if anonymous access is really needed for the .exe.config file

This would solve the only problem we currently have with no touch deployment

Thanks

----- "Ying-Shen Yu[MSFT]" wrote: ----

Hi

"Do I need to remove the .config entry from my App Mappings for the Virtual
that I set up to deploy my app?

In default .NET Framework configuartion, all .config files are handled by
ASP.NET using the System.Web.HttpForbiddenHandler, which return 403
immediately. in your scneario that could not prevent .exe.config from
downloading, I suggest you checking the web.config and machine.config if
you had added some special handlers for the .exe.config or .dll.config
file? for example, I added
<add verb="GET,HEAD" path="*.exe.config"
type="System.Web.StaticFileHandler"/
in my machine.config so that the .exe.config file is allowed to download
while other *.config file are still fobidden

I'm not sure if the anonymous access right is required on the .exe.config
file, I'll try to find someone to confirm it and update this thread later
If you have anything unclear about my reply, pelase feel free to reply this
thread
Thanks

Best regards,

Ying-Shen Yu [MSFT
Microsoft Community Suppor
Get Secure! - www.microsoft.com/securit

This posting is provided "AS IS" with no warranties and confers no rights
This mail should not be replied directly, please remove the word "online"
before sending mail.

 

[Guest]

Another related question to NTD is if there is a mechanism similar to the one for ASP.NET applications for Authorization. In an ASP.NET or web service app you can specify allow and deny's for users in the authorization node. Trying to put a web.config file in the NTD directory after making the directory an application seemed to be ignored as far as the authorization section. What, if any, are my options regarding Authorization of a NTD web directory? Client certificates?

 

[Ying-Shen Yu[MSFT]]

Hi,

The product group gave me the reply that this is a known issue in .NET
v1.1, .config file needs to be available for anonymous access.

The current workaround is allow anonymous access for app.config on this
virtual directory. then only use it for binding information and to put
application configuration settings into a seperate xml file that the
application downloads sperately and uses without using the configuration
system.

Hope it helps.

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Community Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, please remove the word "online"
before sending mail.

 

[Ying-Shen Yu[MSFT]]

Hi Norm,

I'm not an expert on ASP.NET, so I'm not sure if this is possible, but
since IIS will forward the request to ASP.NET and execute the corresponding
http handler, I think you may try writing custom HTTP handlers to process
the specific request, but it's just a raw idea. I think you'd better ask
this in microsoft.public.dotnet.framework.aspnet group for detail
information.

Thanks!
Best regards,

Ying-Shen Yu [MSFT]
Microsoft Community Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, please remove the word "online"
before sending mail.