This post should maybe go in the enhancement requests forum, but it may be of wider interest to developers, so I've posted it here.

When you set up authentication & authorisation within CMS Desk this works fine, provided the user is well-behaved only uses the URLs you give them.

However, if a user tries to navigate to one of your templates directly, eg

www.yourdomain.com/CMSTemplates/yoursite/SecurePage.aspx

then the default is that they will be shown the page, with any content there happens to be (although if you use WebParts with CheckPermissions set, this content should be subject to Kentico's security settings).

I have raised this with Kentico support, and had a reply suggesting configuring IIS. This I can't do with my shared hosting company. And in any case, I think the suggestion would have allowed authenticated users to access everything in the directory, which is still not ideal.

The actual requirement is that any requests from the browser for files in the CMSTemplates directory are not allowed, and that this works without configuring IIS.

I have actually come up with a solution myself. It seems to work well, but I suspect may have a vulnerability to a determined hacker, so I'm not going to publish the details here.

Kentico should really close this security hole, or at least make it clear that it exists, in the Developers Guide, if not.

Steve