Restricting Access to Directories through the web.config file

Mike Bilz asked on July 7, 2017 20:39

Hello Kentico Team,

I have been trying to implement all of the security features that Kentico suggests as a part of going live, but I have found some of the documentation to be a little unhelpful.

The page above mentions that I should disable access to dangerous directories, but doesn't list all of the directories I should disable, and doesn't mention where within the web.config file I should include this code. Is there a complete list of directories I should disable, or is the "CMSSiteUtils" folder the only one I need to worry about?

Also, does it matter where in the web.config file I include this code?

Thanks in advance for your help.


Recent Answers

Brenden Kehren answered on July 7, 2017 21:34

I have 2 blog posts on security and such regarding the file system approach. Take a look:,-content-and-objects-from

Also if you want to get to a more granular approach, you might want to use web.config in each of the directories you want to restrict or grant access to. For instance, take a look in the /CMSPages directory, there is a web.config file in there which grants and denies access to specific files within that directory. I recommend creating a web.confg for the directories you want to restrict or grant access to. Keep in mind if you get too restrictive, the CMS won't properly function.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.