Problems wit accessing "Bin" folder under Win 2003 / IIS 6

You can, but it's not recommended...

In IIS6 there is a global ISAPI filter called aspnet_filter which scans
incoming requests to see if bin is contained in them, and rejects them. You
could remove this filter if you want. However, this filter also provides
support for cookieless ASP.Net sessions, so if you need ASP.Net sessions
(including cookieless sessions), then you can't remove the filter.

Instead, you can use this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
"StopBinFiltering"=dword:00000001

However, you do need to be aware of the security risks you are causing by
making ~/bin available (people could download your ASP.net assemblies for
example)

Cheers
Ken



"Hrvoje Vrbanc" <hrvojev.RemoveThis@recro.hr> wrote in message
news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
: Hello all,
:
: I've discovered that it's impossible to access the content of a folder
named
: Bin in the wwwroot under IIS 6, no matter what permissions are set. Is
there
: a way to circumvent this and to display the content of the Bin folder on
the
: web?
:
: Thank you in advance.
:
: Hrvoje
:
:
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

Is that right? I do use files in bin (because the site design was done long
before Asp.Net came along) and in IIS 5 I just set permissions on the files
I need to be able to access, leaving the directory itself not accessible as
Asp.Net wants it. But if aspnet_filter automatically filters out every
single request hitting /bin/ then I better start thinking about moving to a
better platform (since I'd have to re-write the app anyways

Jerry

"Ken Schaefer" <kenREMOVE.RemoveThis@THISadOpenStatic.com> wrote in message
news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
 > You can, but it's not recommended...
 >
 > In IIS6 there is a global ISAPI filter called aspnet_filter which scans
 > incoming requests to see if bin is contained in them, and rejects them.
You
 > could remove this filter if you want. However, this filter also provides
 > support for cookieless ASP.Net sessions, so if you need ASP.Net sessions
 > (including cookieless sessions), then you can't remove the filter.
 >
 > Instead, you can use this registry key:
 > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
 > "StopBinFiltering"=dword:00000001
 >
 > However, you do need to be aware of the security risks you are causing by
 > making ~/bin available (people could download your ASP.net assemblies for
 > example)
 >
 > Cheers
 > Ken
 >
 >
 >
 > "Hrvoje Vrbanc" <hrvojev.RemoveThis@recro.hr> wrote in message
 > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
 > : Hello all,
 > :
 > : I've discovered that it's impossible to access the content of a folder
 > named
 > : Bin in the wwwroot under IIS 6, no matter what permissions are set. Is
 > there
 > : a way to circumvent this and to display the content of the Bin folder on
 > the
 > : web?
 > :
 > : Thank you in advance.
 > :
 > : Hrvoje
 > :
 > :
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

This is true for IIS 6.0.

--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...



"Jerry III" <jerryiii DeleteThis @hotmail.com> ????
news:ewevtj8vDHA.2340@TK2MSFTNGP12.phx.gbl...
 > Is that right? I do use files in bin (because the site design was done
long
 > before Asp.Net came along) and in IIS 5 I just set permissions on the
files
 > I need to be able to access, leaving the directory itself not accessible
as
 > Asp.Net wants it. But if aspnet_filter automatically filters out every
 > single request hitting /bin/ then I better start thinking about moving to
a
 > better platform (since I'd have to re-write the app anyways
 >
 > Jerry
 >
 > "Ken Schaefer" <kenREMOVE DeleteThis @THISadOpenStatic.com> wrote in message
 > news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
  > > You can, but it's not recommended...
  > >
  > > In IIS6 there is a global ISAPI filter called aspnet_filter which scans
  > > incoming requests to see if bin is contained in them, and rejects them.
 > You
  > > could remove this filter if you want. However, this filter also provides
  > > support for cookieless ASP.Net sessions, so if you need ASP.Net sessions
  > > (including cookieless sessions), then you can't remove the filter.
  > >
  > > Instead, you can use this registry key:
  > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
  > > "StopBinFiltering"=dword:00000001
  > >
  > > However, you do need to be aware of the security risks you are causing
by
  > > making ~/bin available (people could download your ASP.net assemblies
for
  > > example)
  > >
  > > Cheers
  > > Ken
  > >
  > >
  > >
  > > "Hrvoje Vrbanc" <hrvojev DeleteThis @recro.hr> wrote in message
  > > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
  > > : Hello all,
  > > :
  > > : I've discovered that it's impossible to access the content of a folder
  > > named
  > > : Bin in the wwwroot under IIS 6, no matter what permissions are set. Is
  > > there
  > > : a way to circumvent this and to display the content of the Bin folder
on
  > > the
  > > : web?
  > > :
  > > : Thank you in advance.
  > > :
  > > : Hrvoje
  > > :
  > > :
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

Basically, ASP.Net puts critical stuff (like your .Net Assembly, equivalent
to revealing script code) in /bin , so for security reasons, those
directories cannot be accessible via the web.

Prior to IIS6, what ASP.Net would do is change the metabase AccessFlags
setting to "0" for the /bin dir of the app such that IIS would not allow
read (or any access) at all.

With IIS6, w3wp.exe (including ASP.Net) lost default ability to write to the
metabase, so the above strategy fails... and instead, ASP.Net is filtering
the incoming request URL for access to /bin and disallowing those. Now,
it's supposed to only do this for ASP.Net apps (that was my understanding,
anyway), not every /bin in the URL...

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jerry III" <jerryiii.TakeThisOut@hotmail.com> wrote in message
news:ewevtj8vDHA.2340@TK2MSFTNGP12.phx.gbl...
Is that right? I do use files in bin (because the site design was done long
before Asp.Net came along) and in IIS 5 I just set permissions on the files
I need to be able to access, leaving the directory itself not accessible as
Asp.Net wants it. But if aspnet_filter automatically filters out every
single request hitting /bin/ then I better start thinking about moving to a
better platform (since I'd have to re-write the app anyways

Jerry

"Ken Schaefer" <kenREMOVE.TakeThisOut@THISadOpenStatic.com> wrote in message
news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
 > You can, but it's not recommended...
 >
 > In IIS6 there is a global ISAPI filter called aspnet_filter which scans
 > incoming requests to see if bin is contained in them, and rejects them.
You
 > could remove this filter if you want. However, this filter also provides
 > support for cookieless ASP.Net sessions, so if you need ASP.Net sessions
 > (including cookieless sessions), then you can't remove the filter.
 >
 > Instead, you can use this registry key:
 > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
 > "StopBinFiltering"=dword:00000001
 >
 > However, you do need to be aware of the security risks you are causing by
 > making ~/bin available (people could download your ASP.net assemblies for
 > example)
 >
 > Cheers
 > Ken
 >
 >
 >
 > "Hrvoje Vrbanc" <hrvojev.TakeThisOut@recro.hr> wrote in message
 > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
 > : Hello all,
 > :
 > : I've discovered that it's impossible to access the content of a folder
 > named
 > : Bin in the wwwroot under IIS 6, no matter what permissions are set. Is
 > there
 > : a way to circumvent this and to display the content of the Bin folder on
 > the
 > : web?
 > :
 > : Thank you in advance.
 > :
 > : Hrvoje
 > :
 > :
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

Well, it's still going to be an issue as I used the /bin directory to store
our ISAPI extensions... In IIS 5 I just added a metabase key for each file I
wanted to allow access to, since Asp.Net only blocks the directory itself
(but not any existing file/directory keys in it). If this is going to be
done with a filter that won't allow access to any files within /bin then I'm
***** since I won't have the option to allow access to some files in that
directory. And it is an Asp.Net app, that is using the /bin directory for
ISAPI extensions (the design is from IIS 4 days).

It would be nice to find out why was the decision made to hardcode the /bin
directory for Asp.Net (and not make it a configuration option).

Jerry

"David Wang [Msft]" <someone DeleteThis @online.microsoft.com> wrote in message
news:u5Gm04SwDHA.1876@TK2MSFTNGP09.phx.gbl...
 >
 > Basically, ASP.Net puts critical stuff (like your .Net Assembly,
equivalent
 > to revealing script code) in /bin , so for security reasons, those
 > directories cannot be accessible via the web.
 >
 > Prior to IIS6, what ASP.Net would do is change the metabase AccessFlags
 > setting to "0" for the /bin dir of the app such that IIS would not allow
 > read (or any access) at all.
 >
 > With IIS6, w3wp.exe (including ASP.Net) lost default ability to write to
the
 > metabase, so the above strategy fails... and instead, ASP.Net is filtering
 > the incoming request URL for access to /bin and disallowing those. Now,
 > it's supposed to only do this for ASP.Net apps (that was my understanding,
 > anyway), not every /bin in the URL...
 >
 > --
 > //David
 > IIS
 > This posting is provided "AS IS" with no warranties, and confers no
rights.
 > //
 > "Jerry III" <jerryiii DeleteThis @hotmail.com> wrote in message
 > news:ewevtj8vDHA.2340@TK2MSFTNGP12.phx.gbl...
 > Is that right? I do use files in bin (because the site design was done
long
 > before Asp.Net came along) and in IIS 5 I just set permissions on the
files
 > I need to be able to access, leaving the directory itself not accessible
as
 > Asp.Net wants it. But if aspnet_filter automatically filters out every
 > single request hitting /bin/ then I better start thinking about moving to
a
 > better platform (since I'd have to re-write the app anyways
 >
 > Jerry
 >
 > "Ken Schaefer" <kenREMOVE DeleteThis @THISadOpenStatic.com> wrote in message
 > news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
  > > You can, but it's not recommended...
  > >
  > > In IIS6 there is a global ISAPI filter called aspnet_filter which scans
  > > incoming requests to see if bin is contained in them, and rejects them.
 > You
  > > could remove this filter if you want. However, this filter also provides
  > > support for cookieless ASP.Net sessions, so if you need ASP.Net sessions
  > > (including cookieless sessions), then you can't remove the filter.
  > >
  > > Instead, you can use this registry key:
  > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
  > > "StopBinFiltering"=dword:00000001
  > >
  > > However, you do need to be aware of the security risks you are causing
by
  > > making ~/bin available (people could download your ASP.net assemblies
for
  > > example)
  > >
  > > Cheers
  > > Ken
  > >
  > >
  > >
  > > "Hrvoje Vrbanc" <hrvojev DeleteThis @recro.hr> wrote in message
  > > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
  > > : Hello all,
  > > :
  > > : I've discovered that it's impossible to access the content of a folder
  > > named
  > > : Bin in the wwwroot under IIS 6, no matter what permissions are set. Is
  > > there
  > > : a way to circumvent this and to display the content of the Bin folder
on
  > > the
  > > : web?
  > > :
  > > : Thank you in advance.
  > > :
  > > : Hrvoje
  > > :
  > > :
  > >
  > >
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

Hi Jerry,

The underlying reason for the decision is that security improvements to IIS
invalidated the mechanism that ASP.NET was using in previous IIS versions.
Specifically, a worker process in IIS 6 does not have write access to the
metabase. Because of this, it cannot set the metadata the way that it did
before.

Having their filter intercept requests for the /bin directory was the only
solution available without major rearchitecture, or a compromise in IIS
security.

Thank you,
-Wade A. Hilmo,
-Microsoft

"Jerry III" <jerryiii.DeleteThis@hotmail.com> wrote in message
news:uImRcDWwDHA.1764@TK2MSFTNGP10.phx.gbl...
 > Well, it's still going to be an issue as I used the /bin directory to
store
 > our ISAPI extensions... In IIS 5 I just added a metabase key for each file
I
 > wanted to allow access to, since Asp.Net only blocks the directory itself
 > (but not any existing file/directory keys in it). If this is going to be
 > done with a filter that won't allow access to any files within /bin then
I'm
 > ***** since I won't have the option to allow access to some files in that
 > directory. And it is an Asp.Net app, that is using the /bin directory for
 > ISAPI extensions (the design is from IIS 4 days).
 >
 > It would be nice to find out why was the decision made to hardcode the
/bin
 > directory for Asp.Net (and not make it a configuration option).
 >
 > Jerry
 >
 > "David Wang [Msft]" <someone.DeleteThis@online.microsoft.com> wrote in message
 > news:u5Gm04SwDHA.1876@TK2MSFTNGP09.phx.gbl...
  > >
  > > Basically, ASP.Net puts critical stuff (like your .Net Assembly,
 > equivalent
  > > to revealing script code) in /bin , so for security reasons, those
  > > directories cannot be accessible via the web.
  > >
  > > Prior to IIS6, what ASP.Net would do is change the metabase AccessFlags
  > > setting to "0" for the /bin dir of the app such that IIS would not allow
  > > read (or any access) at all.
  > >
  > > With IIS6, w3wp.exe (including ASP.Net) lost default ability to write to
 > the
  > > metabase, so the above strategy fails... and instead, ASP.Net is
filtering
  > > the incoming request URL for access to /bin and disallowing those. Now,
  > > it's supposed to only do this for ASP.Net apps (that was my
understanding,
  > > anyway), not every /bin in the URL...
  > >
  > > --
  > > //David
  > > IIS
  > > This posting is provided "AS IS" with no warranties, and confers no
 > rights.
  > > //
  > > "Jerry III" <jerryiii.DeleteThis@hotmail.com> wrote in message
  > > news:ewevtj8vDHA.2340@TK2MSFTNGP12.phx.gbl...
  > > Is that right? I do use files in bin (because the site design was done
 > long
  > > before Asp.Net came along) and in IIS 5 I just set permissions on the
 > files
  > > I need to be able to access, leaving the directory itself not accessible
 > as
  > > Asp.Net wants it. But if aspnet_filter automatically filters out every
  > > single request hitting /bin/ then I better start thinking about moving
to
 > a
  > > better platform (since I'd have to re-write the app anyways
  > >
  > > Jerry
  > >
  > > "Ken Schaefer" <kenREMOVE.DeleteThis@THISadOpenStatic.com> wrote in message
  > > news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
   > > > You can, but it's not recommended...
   > > >
   > > > In IIS6 there is a global ISAPI filter called aspnet_filter which
scans
   > > > incoming requests to see if bin is contained in them, and rejects
them.
  > > You
   > > > could remove this filter if you want. However, this filter also
provides
   > > > support for cookieless ASP.Net sessions, so if you need ASP.Net
sessions
   > > > (including cookieless sessions), then you can't remove the filter.
   > > >
   > > > Instead, you can use this registry key:
   > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
   > > > "StopBinFiltering"=dword:00000001
   > > >
   > > > However, you do need to be aware of the security risks you are causing
 > by
   > > > making ~/bin available (people could download your ASP.net assemblies
 > for
   > > > example)
   > > >
   > > > Cheers
   > > > Ken
   > > >
   > > >
   > > >
   > > > "Hrvoje Vrbanc" <hrvojev.DeleteThis@recro.hr> wrote in message
   > > > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
   > > > : Hello all,
   > > > :
   > > > : I've discovered that it's impossible to access the content of a
folder
   > > > named
   > > > : Bin in the wwwroot under IIS 6, no matter what permissions are set.
Is
   > > > there
   > > > : a way to circumvent this and to display the content of the Bin
folder
 > on
   > > > the
   > > > : web?
   > > > :
   > > > : Thank you in advance.
   > > > :
   > > > : Hrvoje
   > > > :
   > > > :
   > > >
   > > >
  > >
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6 

I understand... But it would be nice to be able to specify which directory
would be the "bin" directory, on an application bases (in web.config). Btw
same goes for temporary files, I had to make an exception to my rule that no
web application should write to the system drive. Asp.Net insists on
creating its temporary files and compiling them under the Windows directory.

Jerry

"Wade A. Hilmo [MS]" <wadeh.DeleteThis@microsoft.com> wrote in message
news:uNsv#5awDHA.3428@TK2MSFTNGP11.phx.gbl...
 > Hi Jerry,
 >
 > The underlying reason for the decision is that security improvements to
IIS
 > invalidated the mechanism that ASP.NET was using in previous IIS versions.
 > Specifically, a worker process in IIS 6 does not have write access to the
 > metabase. Because of this, it cannot set the metadata the way that it did
 > before.
 >
 > Having their filter intercept requests for the /bin directory was the only
 > solution available without major rearchitecture, or a compromise in IIS
 > security.
 >
 > Thank you,
 > -Wade A. Hilmo,
 > -Microsoft
 >
 > "Jerry III" <jerryiii.DeleteThis@hotmail.com> wrote in message
 > news:uImRcDWwDHA.1764@TK2MSFTNGP10.phx.gbl...
  > > Well, it's still going to be an issue as I used the /bin directory to
 > store
  > > our ISAPI extensions... In IIS 5 I just added a metabase key for each
file
 > I
  > > wanted to allow access to, since Asp.Net only blocks the directory
itself
  > > (but not any existing file/directory keys in it). If this is going to be
  > > done with a filter that won't allow access to any files within /bin then
 > I'm
  > > ***** since I won't have the option to allow access to some files in
that
  > > directory. And it is an Asp.Net app, that is using the /bin directory
for
  > > ISAPI extensions (the design is from IIS 4 days).
  > >
  > > It would be nice to find out why was the decision made to hardcode the
 > /bin
  > > directory for Asp.Net (and not make it a configuration option).
  > >
  > > Jerry
  > >
  > > "David Wang [Msft]" <someone.DeleteThis@online.microsoft.com> wrote in message
  > > news:u5Gm04SwDHA.1876@TK2MSFTNGP09.phx.gbl...
   > > >
   > > > Basically, ASP.Net puts critical stuff (like your .Net Assembly,
  > > equivalent
   > > > to revealing script code) in /bin , so for security reasons, those
   > > > directories cannot be accessible via the web.
   > > >
   > > > Prior to IIS6, what ASP.Net would do is change the metabase
AccessFlags
   > > > setting to "0" for the /bin dir of the app such that IIS would not
allow
   > > > read (or any access) at all.
   > > >
   > > > With IIS6, w3wp.exe (including ASP.Net) lost default ability to write
to
  > > the
   > > > metabase, so the above strategy fails... and instead, ASP.Net is
 > filtering
   > > > the incoming request URL for access to /bin and disallowing those.
Now,
   > > > it's supposed to only do this for ASP.Net apps (that was my
 > understanding,
   > > > anyway), not every /bin in the URL...
   > > >
   > > > --
   > > > //David
   > > > IIS
   > > > This posting is provided "AS IS" with no warranties, and confers no
  > > rights.
   > > > //
   > > > "Jerry III" <jerryiii.DeleteThis@hotmail.com> wrote in message
   > > > news:ewevtj8vDHA.2340@TK2MSFTNGP12.phx.gbl...
   > > > Is that right? I do use files in bin (because the site design was done
  > > long
   > > > before Asp.Net came along) and in IIS 5 I just set permissions on the
  > > files
   > > > I need to be able to access, leaving the directory itself not
accessible
  > > as
   > > > Asp.Net wants it. But if aspnet_filter automatically filters out every
   > > > single request hitting /bin/ then I better start thinking about moving
 > to
  > > a
   > > > better platform (since I'd have to re-write the app anyways
   > > >
   > > > Jerry
   > > >
   > > > "Ken Schaefer" <kenREMOVE.DeleteThis@THISadOpenStatic.com> wrote in message
   > > > news:u8mqwS6vDHA.3220@tk2msftngp13.phx.gbl...
   > > > > You can, but it's not recommended...
   > > > >
   > > > > In IIS6 there is a global ISAPI filter called aspnet_filter which
 > scans
   > > > > incoming requests to see if bin is contained in them, and rejects
 > them.
   > > > You
   > > > > could remove this filter if you want. However, this filter also
 > provides
   > > > > support for cookieless ASP.Net sessions, so if you need ASP.Net
 > sessions
   > > > > (including cookieless sessions), then you can't remove the filter.
   > > > >
   > > > > Instead, you can use this registry key:
   > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET]
   > > > > "StopBinFiltering"=dword:00000001
   > > > >
   > > > > However, you do need to be aware of the security risks you are
causing
  > > by
   > > > > making ~/bin available (people could download your ASP.net
assemblies
  > > for
   > > > > example)
   > > > >
   > > > > Cheers
   > > > > Ken
   > > > >
   > > > >
   > > > >
   > > > > "Hrvoje Vrbanc" <hrvojev.DeleteThis@recro.hr> wrote in message
   > > > > news:OccPyUzvDHA.2540@TK2MSFTNGP09.phx.gbl...
   > > > > : Hello all,
   > > > > :
   > > > > : I've discovered that it's impossible to access the content of a
 > folder
   > > > > named
   > > > > : Bin in the wwwroot under IIS 6, no matter what permissions are
set.
 > Is
   > > > > there
   > > > > : a way to circumvent this and to display the content of the Bin
 > folder
  > > on
   > > > > the
   > > > > : web?
   > > > > :
   > > > > : Thank you in advance.
   > > > > :
   > > > > : Hrvoje
   > > > > :
   > > > > :
   > > > >
   > > > >
   > > >
   > > >
   > > >
  > >
  > >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Problems wit accessing "Bin" folder under Win 2003 / IIS 6