Security – How to secure a single file download over HTTP on IIS

authenticationiisSecuritywindows-server-2008-r2

I want to create a download link to a file on my HTTP server (IIS 7.5), for a one time secure download purpose. I don't want the file to be publicly available, the receiver must authenticate.

When user visits the link:

https://www.mydomain.com/download/receiver/file.zip

I want the auth prompt to popup, if the user authenticates, then download should start.

I don't want to create a Windows user account for every file/receiver, that is, as I understand, required for Basic authentication to work. Creating IIS User is acceptable. But I can't seem to find a way to enable IIS Manager Authentication for a certain file or folder, web application, or even a completely new dedicated website.

(FTP is not an option for several reasons.)

Best Answer

This describes a way to do what you ask, although it requires manually editing web.config and changing security permissions on it:

http://blogs.msdn.com/b/carlosag/archive/2008/09/26/using-iis-manager-users-in-your-application.aspx

You might also consider http://www.helicontech.com/ape/ which enables the Apache .htpasswd style authentication, but it isn't free.

What is your objection to creating Windows accounts for this? Perhaps there's a way around your concerns with that, as it would be an easy way to accomplish what you want without adding extras into IIS.

Related Solutions

Using both domain users and local users for Squid authentication

Now, I need a way to allow access to users which don't have a domain account. Can this be done?

Yes.

How?

You can use an "external" ACL helper, which allows you to roll your own mechanism. See the Squid wiki "Multiple Source" entry for more details. This bit of pseudo-code lifted straight from there:

auth_param basic program /usr/local/bin/my-auth.pl
external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} /usr/local/bin/my-acl.pl
acl MyAcl external myAclType
http_access allow MyAcl

... where my-auth.pl is a bit of perl script that performs the actual authentication, and returns OK or ERR as the result.

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Best Answer

Related Solutions

Using both domain users and local users for Squid authentication

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic