Hi,

 I'm trying to override IIS and allow config file downloads.  I am using IIS 6 on W2K3.   I have tried using this example that is supposed to allow for all config files except the web.config to be downloaded but it doesn't work.  Is there something else I need to do?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
        <httpHandlers>
            <remove verb="*" path="*.config" />
<add verb="*" path="web.config" type="System.Web.HttpForbiddenHandler" />
           
        </httpHandlers>
</system.web>
</configuration>

Thanks,

Mike

Map .config handler to aspnet_isapi.dll in IIS.

 I assure you, if site is hosted in internet and some critical information is there, it will be compromised in a week.

.config is simply a security protected masked extension for .xml

I would recommend just changing the extension to .xml

By using .config as an extension on the IIS server is telling the server hey this is for you only (IIS) the server handles this with great selfishnish and does not allow "remote access in any way" to the extension .config

This is the same for Protected folders (App_Data, App_Code, Bin and other extensions such as .dll)

If you really want to allow permissions to the extension .config you will have to do this on the IIS server under security of full trust. If your site is hosted I doubt you will have full trust.

The previous user is correct. I would give it days before someones bot finds a fully open config file and mess's with!!

So with out full trust there is still a solution. Connect via ftp using credentials allows you access to download the config file as is (of course this is full trust!).

Obviously you want to do this via browser and allow others to do so, how about Duplicating the file and changing the extension to .xml then initiating download?

Actually I just had another thought! The above is suited to IIS6

If you are using IIS7 you would need to define your handler in the new section

 <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <!-- Begin REMOVABLE New Error Checking -->
    <httpErrors errorMode="Detailed"/>
    <asp scriptErrorSentToBrowser="true"/>
    <!-- End -->
    <modules>
      <remove name="ScriptModule"/>
      <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    </modules>
    <handlers>
      <remove name="WebServiceHandlerFactory-Integrated"/>
      <remove name="ScriptHandlerFactory"/>
      <remove name="ScriptHandlerFactoryAppServices"/>
      <remove name="ScriptResource"/>
      <remove name="WebServiceHandlerFactory-ISAPI-2.0"/>
      <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    </handlers>
  </system.webServer>

Look forward to your response!