I'm responsible for a Job Management system for a local government department, hosted out of IIS 7.5. The system has Job 'records' (which are rendered by custom ASP code), each Job record has a unique ID number, and may have any number of attachments linked to it.
These attachments are stored in a content store directory on the webserver itself, each Job record has a sub directory in the content store referenced by the Job ID number.
e.g. D:\Content\Jobs\<IDNumber>\attachment.jpg
The issue I have it that an authenticated user is able to craft a URL, directly referencing the directory for a specific Job record and access an attachment for that Job.
i.e. https:\\mywebsite\content\jobs\123456\
Doing this, will give them the ability to download the first file in that directory with having to access the Job record itself (where the ASP code provides a certain level of access security).
The ASP code accesses the Content Store root using an Impersonation Account.
Directory Browsing has been disabled in IIS.
Anyone have any ideas as to how I can prevent this?