禁用目录浏览时，IIS中的文件安全性如何？ [英] How safe are files in IIS when Directory Browsing is disabled?

问题描述

我正在通过IIS7运行WCF网络应用。



在我的应用程序中我有一个公共文件夹，在该文件夹中我有包含相当敏感信息的文件。



目前，我在IIS中禁用了目录浏览。

文件名是随机生成的乱码字符串。



我最初的想法是，由于目录浏览被禁用，并且没有人知道文件的名称，没有人应该能够访问它们。



我的假设有多安全？



如果不安全，我会重写一些代码来将文件流式传输到我的客户端用我正在做的URL直接引用。



问候！

I''m running a WCF web app via IIS7.

Inside my application I have a public folder and inside that folder I have files containing rather sensitive information.

Currently, I have Directory Browsing disabled in IIS.
The files names are randomly generated strings of gibberish.

My initial thought was, that since Directory Browsing is disabled, and no-one knows the files'' names that no-one should be able to access them.

How safe are my assumptions?

If unsafe, I''ll rewrite some code to stream the files to my client instead of referencing directly with a URL like I''m currently doing.

Regards!

推荐答案

Stream他们。

如果他们是那么敏感，那么当你存储它们时加密它们。

想一想：即使目录浏览被禁用，有多少人拥有它们物理访问服务器？你知道吗？



如果你流式传输它们，你可以使请求到期，这样它们只在一段时间内有效，防止虚假拷贝被带走也可以通过URL复制来自客户端。

Stream them.
And if they are that sensitive, encrypt them when you store them as well.
Think about it: even if Directory Browsing is disabled, how many people have physical access to the server? Do you know them all?

If you stream them, you can expire requests so they are only valid for a certain period of time as well, preventing spurious copies being taken by URL copying from the client as well.

这篇关于禁用目录浏览时，IIS中的文件安全性如何？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！