HOWTO: Deny direct access to resources using Referer based authentication

  • Article

People frequently ask about the "Referer Authentication" custom protocol that Apache offers with a custom module. Yes, it is doable on IIS as well -- if you have the custom module.

Question:

Hi there.

Since you a very good in IIS, i need your help.

How to denied access for direct access to IIS? Let say a user want to access, they cannot simply type the URL. Actually, we have another application. So any info inside this IIS only can be read with specifed referer.

Thanks

Answer:

The correct way to control access to web-accessible resources is to enable authentication. IIS supports many standards-based authentication protocols, and some support customization.

What you have to realize is that to the authentication protocol, any customizations done by IIS (or your custom code on IIS) is analogous to a man-in-the-middle security attack. Secure authentication protocols defeat such attacks.

Now, the referer-based scheme (i.e. "Referer Authentication") that you mention is basically a custom, insecure authentication protocol that needs to be implemented by some custom code. This protocol works as follows:

  1. On access to all protected resources, examine the Referer request header
  2. If the Referer header is not present or not "valid" by some user-defined metric, reject
  3. Otherwise, accept

If you think about it, this is not very different than how Basic authentication works (substitute "Authorization: Basic" for the "Referer" header). The key difference is that web browsers implicitly generate its authenticating "Referer" header based on the parent URL, while Basic authentication require explicit user action to generate the "Authorization" header.

At this point, you have to decide what you truly want to do. Does implicit/explicit authentication matter for this insecure and replay-attackable authentication protocol, or do you just want to defeat web robots and scrappers that consume your website's bandwidth.

I presume you really want to do the latter because the former just does not make sense for an insecure authentication protocol...

For the latter, you might as well create a restricted NT username/password for basic authentication (lock the NT user account to be a guest account, deny remote logon, etc), ACL all protected resources to this NT username and enable Basic authentication on them in IIS, and then publish the username/password on the parent web page that links to the files you want to protect. Robots and scrappers probably will not parse the parent web page to find the username/password, fail to produce the Authorization: header, and get rejected by authentication. Users will probably parse the parent web page, authenticate, and obtain the download. And in no case can someone directly access your file WITHOUT first authenticating.

Unfortunately, no one has considered donating free custom code (yet) to implement this functionality to IIS. So, you will have to create an ISAPI Filter that implements referer authentication. I have an illustrative sample at this URL (you will need to fill in some blanks since configuration is done within the Filter DLL itself, but configuration should not be hard if you see this other sample code on how to use Windows INI files).

//David