How To: Serve Files From IIS In Bin Named Directories

Posted Tuesday April 9, 2013 at 4:45:03 pm in Development

There are certain security features that comes installed by default on IIS (Internet Information Services) on Windows. The one that is not often talked about is the Request Filtering role service. And that is usually for good reason.

I'll try and make this post pretty short and sweet, but long story short...you may run into a situation where you have a particular directory named something that won't be served to a user due to some built in security features of IIS. In a nutshell, the IIS team explains it in a more elegant manner:

For example, on Web servers that are hosting ASP.NET content, IIS 7 blocks several of the ASP.NET-related paths for you; Web.config, bin, App_Code, etc. Blocking these URL segments reduce the chance of an attacker being able to exploit these URLs for information.

That's quoted from the Hidden Segments documentation page located here.

Typically, you're not going to want to serve content in your bin directories (or App_Code...or any of the default examples above). But occasionally, you may. 

Recently we ran into an issue with our WordPress installation that was being served through IIS and using a web.config to handle URL aliasing. Since this was a WordPress installation wiith no other dependencies, it was pretty basic.

The issue we ran into was with a certain WordPress theme called TouchPattern.  This theme gives multi-touch functionality to users. The theme is available here in case you're curious. We noticed when deploying it to one of our web servers (in particular Windows 2008, IIS7.5), that a lot of the content wasn't being served. As a matter of fact, IIS was returning 404 errors (404.8 in particular). Which lines up precisely with the Hidden Segments page linked to above.

Why was this happening? Well, it turns out that this particular theme had a directory located inside of its images directory called bin (full path: /TouchPattern/images/bin). And as I (and the IIS team) spoke about above, IIS will not return any content in that directory by default.

Now, there are ways around this that are less than ideal. One, of course, is using the registry. But as I'm not a fan of touching registries on production servers (who is?), there had to be a more elegant solution.

That more elegant solution was simply utilizing the hiddenSegments element...and removing the bin segment from it. This is quite easy. Inside of the system.webServer element, you add the following:

       <security>
          <requestFiltering>
               <hiddenSegments>
                   <remove segment="bin" />
               </hiddenSegments>
           </requestFiltering>
       </security>

Now, if you're running an actual ASP.NET site and not a WordPress site and don't want to serve the root bin directory, you can create a web.config inside of the theme itself with just this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
       <security>
          <requestFiltering>
               <hiddenSegments>
                   <remove segment="bin" />
               </hiddenSegments>
           </requestFiltering>
       </security>
  </system.webServer>
</configuration>

This is the beauty of web.config overrides.

Hope this helps someone.

Happy coding!

The opinions expressed herein are my own personal opinions and do not represent my employer’s view