I am currently developing a staff and student portal for my college.  I look into LDAP to authenticate and authorize users (I am using VS 2005 C# to do this).  However, as most you know at this forum, .htm, .pdf, and etc are not protected by the ASP.NET security.  I have done some reading and found that you can change this problem in IIS. 

If this solution hasn?t been posted, select your project in IIS and choose properties.  Next on the Directory tab find the Configure Button and click it.  After you do that you?ll be on the Mapping tab, click the Add button.  This will take you to another window, where you will browse for the aspnet_isapi.dll file.  After you have found that file all you have to do is add the extension you wish to protect (like .pdf).

After showing this process, is there an easier way?  Maybe using web.config?  I can read XML, but I don?t know much about it to make anything work for me. 

Another neat thing that my portals I?m creating might contain is a password change and reset page.  So my next question is how can I make sure my page is more secure?  Like I mentioned before, I am using Forms Authentication.  I also have Digested and Integrated Authentication checked, but I have it setup for anonymous access so I can make my login page work.  After I deploy my portals they will be on SSL.  However, this will make it impossible for me to see what the attacker done if we were compromised.  Any suggestions will be welcomed.  I?m relatively new to C# and security.

1. You are right. Static files are not handled by asp.net because, before the request reaches the asp.net engine, it has been handled by iis and returned to client. So as my thought, your solution is the only option.

2. I am not understand why do you think after using SSL ", this will make it impossible for me to see what the attacker done if we were compromised". Enabling SSL brings secure communcation and it protected your data from being hacked. So when you decide to use SSL, I think the security of your portal is warranted.

I just wanted to say thanks for the response.  And give you a reason why I think SSL will make it hard to see what a cracker has done to my portal.  I was told at a conference that SSL encrypts everything, so the log file will be encrypted or partially encrypted (I?m not for sure).  I know I am protected against SQL cross-side scripting the * or 1 = 1 - - (well at least this one).  But other than that, I?m not sure what I am protected against.  I do have my log file setup to view login success and failures.  Do you think I should log more than that?  I know that no matter how much I secure my page is, if a cracker wants to invest the time he or she will eventually get in.

You probably don't want to map PDF files through the ASPNET ISAPI.  Since they can get really big, you'll unnecessarily bog down the filter processing something it doesn't need to.  I have another way posted on my blog at http://aspadvice.com/blogs/rjdudley/archive/2005/10/03/12984.aspx that might work for your needs.  Modifying the web.config won't help.  You can also store the PDFs in a folder outside the webroot, and give your site's impersonated user access to the folder.  That way your site can get at the files, but they can'tbe accessed by direct URL.

Another hint is to not use HTM files--make everything an ASPX, even if it doesn'thave any server site code.

SSL only encrypts the data between the client and server.  Your server must decrypt the SSL for it to understand what was sent, so you'll be able to log clear text password failures, etc.  This encryption is done before the request hits your site, so you don't have to do anything special.