A colleague of mine recently asked me how to secure static content on an IIS server and I thought I would quickly list the steps here for others that are looking for a quick guide on how to do it.
First, the URL Authorization role service should be enabled on the IIS server. To do this, open the Server Manager and go to Roles -> Web Server (IIS) -> Add Role Services and then click the checkbox for URL Authorization.
Next, the Manage pipeline mode should be set to Integrated for the Application Pool that the application is running under. You can verify this by opening the IIS Manager and going to the Connections pane. Expand ‘Sites’ and navigate to your web site (or application). In the Actions pane, click Advanced Settings. Then click on the General Section followed by clicking the Application Pool entry.
Lastly, the web.config will need to instruct IIS to use ASP.NET’s UrlAuthorization Module and / or FormsAuthentication module. Here’s an example for both:
<system.webServer> <modules> . . . removed other modules … <remove name="FormsAuthenticationModule" /> <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" /> <remove name="UrlAuthorization" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> </modules>
Forms authentication requires that you specify <authorization> tags. Here’s an example that allows ‘anonymous’ to download images:
<configuration> <system.web> <authorization>
<deny users=”?” />
. . . removed other config . .
</system.web> <location path="ErrorPages"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
This should be all that is required for securing your static content with ASP.NET forms authentication. For further reading, I would suggest this page.