How to password protect files and directories under Windows 2008/IIS 7.0
We have created a Password Protection application which works with
.NET which you can use to secure files and folders under your Windows
2008/IIS 7.0 hosting account. This application will not run under
Windows 2003 and IIS 6.
Disclaimer: This application has been tested with
myhosting.com accounts using the Windows 2008/IIS 7.0/.NET 2.0 platform,
and cannot be confirmed to work with any other hosting provider or any
other hosting platform. Please note that this software should be used at
your own risk. myhosting.com takes no responsibility for the use or
misuse of the software. Further, myhosting.com takes no responsibility
for any potential failure of the software resulting in the exposure of
secured files or directories as a result of the software's use or
Download & Contents
To start, you will need to download the application.
Once you have downloaded the .ZIP file, you will need to extract the
contents to your computer. You should then see the following files and
File or Directory Name
|| This file should be uploaded to the root directory of your hosting account
|| This directory already exists on your hosting
account, all the other files and directories should be upload inside the
|| This file handles all the login requests for your secure area.
|| This file is used to enforce the security policy,
and specifies which directories are secured and what users are allowed
to access them.
|| This directory contains the password protection administration area.
|| This is the administrator management file for the application.
|| This is the directory you can use for storing your secure files.
|| The default document for your secure area.
Next you will need to upload all the files and create all the
directories on your site. Please make sure when uploading that you
preserve the directory and file structure. This will ensure that the
application functions as designed.
Please Note: If you already have a web.config file on your site, you will need to merge the contents of this file with the one which exists on your site already.
Once everything is on your site, you should then open your browser and connect to http://your-site.com/admin/admin.aspx, replacing "your-site.com" with your actual domain name. You can then log in using:
Once you have logged in, you should see 2 existing users named Admin and User.
The first thing you should do is to change the Admin password to one
that is strong and unique. To do this, type the new password in the
field provided and click on Hash Pass. Copy the text that it displays, and Edit the Admin user to change the password.
There is also a test user named User which you can use to experiment with.
It is recommended that you either delete this user or change the
password before you start using the application to secure files and
directories. In addition, you can create as many other users as you
Securing Files and Folders
By default, the directories named secure and admin are the only directories that are protected. The admin directory is set to allow only the Admin
user to login. Since this is where all users are configured, this was
added as an extra level of security. The secure directory allows all
authenticated users to log in, while not allowing anonymous or
unauthenticated users access. You can place any files or directories
under the secure directory and they will automatically be password
If you want to change the name of the secured directory, add new
secured directories or edit who is allowed to access which directories,
you will need to edit the web.config file. Once you open the file, you'll see an entry like this:
If you want to secure another directory, you can create a similar entry and change the value of the location path.
Allow and Deny Users
- IMPORTANT: At the very least,
for a directory to be secured you must deny access to anonymous or
unauthenticated users (using a ?) as follows:
- If you want to allow only certain users to access the directory
and deny everyone else, you can configure it as follows to deny all
users (using a *) and then allow only specific exceptions in the allow
users section. In this example, all users are prevented from logging in
except username1 and username2:
- If you want to deny all users, you can use * as a wildcard in the deny users or section.
- You should not use the * or ? wildcards in the allow users
section, as it will allow access to all users and all
The allow users
section is optional, but it is highly recommended that a deny users
section is always used. If you do not include a deny users section, all
visitors to your site will be able to access the directory. Therefore
you should never remove the deny users section.