Security: SPIP and IIS

Prevent acces to SPIP’s confidential data when using Microsoft IIS

This article is only of interest if the machine hosting your site does not use Apache, the most commonly used software for hosting websites, but uses Microsoft’s IIS instead.
The article itself is quite dated now, and new versions of Microsoft’s software may well not behave the same way.

SPIP’s default security

There are two "sensitive" folders in SPIP, which are the CACHE and ecrire/data folders. The first contains all of the files which use your cache to accelerate the display of web pages, so is therefore moderately sensitive, but the second records the activity logs for SPIP (the spip.log files) and additionally allow you to create dump.xml backup files for the database.

Now the dump.xml files contain very sensitive data: in particular, you can see all of the articles, even those not made visible on the public site, without forgetting all of the identifiers and passwords [1] of the editors and administrators of the site.

The security of all of these files is traditionally ensured using access configuration files named .htaccess. SPIP automatically generates these files to prevent access to the sensitive data stored on the server: you can check that both the CACHE and ecrire/data folders each contain one of these .htaccess files.
Unfortunately, these files work under Apache (the web server used to make the vast majority of the Internet’s web sites work) but not under IIS (Internet Information Services, the web server from Microsoft).

Protecting your data under IIS: one additional step

If your site has been installed on IIS, absolutely anyone can then view the folders that are supposed to be secured by .htaccess files: so you need to protect them in another way.

To protect a folder on your site: open the administration panel for your web server, right click on the directory in question, click on "properties", and uncheck the check box labelled "Read" found on the "Directory" tab.

The properties screen for the /tmp directory
Uncheck the "Read" checkbox in order to protect the folder the same way that Apache would do using an .htaccess file

Perform this same operation for both of the CACHE and ecrire/data folders. If you have done it right, you should not then be able to access the files in these folders through the web server. You can test your configuration by trying to display http://www.yoursite.com/ecrire/data/spip.log from your normal browser. You should receive a message of some kind that indicates "Access refused".

Footnotes

[1Even if the passwords are encrypted by SPIP, bear in mind that such encryption is not necessarily unbreakable.

Portfolio

Author Mark Published : Updated : 19/07/23

Translations : català, English, Español, français, italiano