473,395 Members | 1,595 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > securing a folder from public access

Join Bytes to post your question to a community of 473,395 software developers and data experts.

Securing a folder from public access

This is a basic question for anyone who knows what they're doing with
web server admin so hopefully someone will be able to assist me
here!...

I have a www based asp.net application which allows users to upload
images (screen captures for fault reporting). These files get saved
in the folder www.<domain>.co.uk/uploadedfiles/<filename>.

I want to prevent public users from being able to see these uploaded
files but I want to provide an aspx page where authorised users
(support personnel) can log in to view them so asp.net must be able to
see these files.

Directory browsing is disabled so that makes it difficult for users to
know the file names but it does not prevent determined users from
getting at the files.

How can I set up the security for this folder so that asp.net can see
the files (to show them in a web form to authorised users) but public
users cannot see them by simply typing the URL?

I have tried (on a local development server) disabling anonymous
access to the folder but all that does is give me a login dialog box
to see the image. I want it to be seamless: no dialog box! Plus I am
concerned that the login credentials might be passed in clear text.
Also, I'm not sure if that would work on the live server anyway.

Note: The site is hosted on a shared server - I do not have control
over the server so I cannot do much testing to find the answer but the
hosting company is very good so, if someone can provide the answer,
I'm sure they'll set it up for me!

Thanks

Ian
Nov 18 '05 #1
2 2127
You have complete control of your server and can decide what context each
request runs under. As you are going to authenticate support personnel, you
can then take control of the threads their sessions are running under and
temporarily run them under an account that has access to the images. You
cannot allow IUSR/ASP.NET access without the potentially having a hacker
search for the files.

If support personnel are in the domain, you can also create a logon page
that uses Windows Authentication and set up a Support Group that has rights
to the image folder(s). This is an even easier method than hijacking the
thread when support personnel are logged in (as they will control the thread
essentially), but may also require some help from the networking people (if
that is you, no problem).

Another option is dropping the files into a persistant storage mechanism,
like SQL Server and programatically handling the display. This is a rather
heavy solution for your scenario.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Ian B" <i_****@hotmail.com> wrote in message
news:69**************************@posting.google.c om...
This is a basic question for anyone who knows what they're doing with
web server admin so hopefully someone will be able to assist me
here!...

I have a www based asp.net application which allows users to upload
images (screen captures for fault reporting). These files get saved
in the folder www.<domain>.co.uk/uploadedfiles/<filename>.

I want to prevent public users from being able to see these uploaded
files but I want to provide an aspx page where authorised users
(support personnel) can log in to view them so asp.net must be able to
see these files.

Directory browsing is disabled so that makes it difficult for users to
know the file names but it does not prevent determined users from
getting at the files.

How can I set up the security for this folder so that asp.net can see
the files (to show them in a web form to authorised users) but public
users cannot see them by simply typing the URL?

I have tried (on a local development server) disabling anonymous
access to the folder but all that does is give me a login dialog box
to see the image. I want it to be seamless: no dialog box! Plus I am
concerned that the login credentials might be passed in clear text.
Also, I'm not sure if that would work on the live server anyway.

Note: The site is hosted on a shared server - I do not have control
over the server so I cannot do much testing to find the answer but the
hosting company is very good so, if someone can provide the answer,
I'm sure they'll set it up for me!

Thanks

Ian

Nov 18 '05 #2
Thanks for the response, Gregory.

Unfortunately, I do not have complete control over the server! The
website is hosted on a public, shared server by a separate company.
They are pretty good at helping out with my requests but wouldn't
really go any further than fairly basic configuration changes. At
some stage in the future we may rent a dedicated server or even host
the site ourselves but, in the meantime, your first and second
suggestions aren't feasible.

Your third suggestion may be the way to go for now. We already have a
SQL server database and we also have a support area, secured with
forms authentication over SSL. Another option (for now) is that I
could simply disable anonymous access to the folder and have the
support personnel use an FTP client to download the files - the
product that the site supports is still new with a small user-base and
therefore I don't expect to get too many files uploaded at this time
so this would work for the time being.

If you or anyone else has any comments or ideas then I'd be grateful.

Thanks again
Ian

"Cowboy \(Gregory A. Beamer\)" <No************@comcast.netNoSpamM> wrote in message news:<el**************@TK2MSFTNGP11.phx.gbl>...
You have complete control of your server and can decide what context each
request runs under. As you are going to authenticate support personnel, you
can then take control of the threads their sessions are running under and
temporarily run them under an account that has access to the images. You
cannot allow IUSR/ASP.NET access without the potentially having a hacker
search for the files.

If support personnel are in the domain, you can also create a logon page
that uses Windows Authentication and set up a Support Group that has rights
to the image folder(s). This is an even easier method than hijacking the
thread when support personnel are logged in (as they will control the thread
essentially), but may also require some help from the networking people (if
that is you, no problem).

Another option is dropping the files into a persistant storage mechanism,
like SQL Server and programatically handling the display. This is a rather
heavy solution for your scenario.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************** ********************
Think Outside the Box!
************************************************** ********************
"Ian B" <i_****@hotmail.com> wrote in message
news:69**************************@posting.google.c om...
This is a basic question for anyone who knows what they're doing with
web server admin so hopefully someone will be able to assist me
here!...

I have a www based asp.net application which allows users to upload
images (screen captures for fault reporting). These files get saved
in the folder www.<domain>.co.uk/uploadedfiles/<filename>.

I want to prevent public users from being able to see these uploaded
files but I want to provide an aspx page where authorised users
(support personnel) can log in to view them so asp.net must be able to
see these files.

Directory browsing is disabled so that makes it difficult for users to
know the file names but it does not prevent determined users from
getting at the files.

How can I set up the security for this folder so that asp.net can see
the files (to show them in a web form to authorised users) but public
users cannot see them by simply typing the URL?

I have tried (on a local development server) disabling anonymous
access to the folder but all that does is give me a login dialog box
to see the image. I want it to be seamless: no dialog box! Plus I am
concerned that the login credentials might be passed in clear text.
Also, I'm not sure if that would work on the live server anyway.

Note: The site is hosted on a shared server - I do not have control
over the server so I cannot do much testing to find the answer but the
hosting company is very good so, if someone can provide the answer,
I'm sure they'll set it up for me!

Thanks

Ian

Nov 18 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Maybe easy - securing php files containing DB access passwords etc.
by: Dave Smithz | last post by:
Hello there, In summary: How to make my password protected php scripts available for use to public, without letting them do anything they want to DB. Previously a shared hosting hosted MySQL...
PHP
2
MIcrosft SQLServer Best Practices document on securing SQLServer
by: byrocat | last post by:
I'm chasing after a documetn that was available on one of the Microsoft websites that was titled somethign like "MS SQL Server Best Practices" and detailed a nyumber of best practices about...
Microsoft SQL Server
12
Securing Web Database
by: Prabhat | last post by:
Hi All, I have a website setup which has MS-Access DB. The web pages are in ASP and uses ADO to connect to DB. The DB is located in the Folder "/Database". I have the Connection string setup in...
ASP / Active Server Pages
7
Securing A Folder On A Server
by: Tom | last post by:
Can anyone give me any advice on how to secure a folder on a network server so that documents in the folder can only be opened through an Access database or by the database admin. I need to store...
Microsoft Access / VBA
11
Securing hashing algorithm
by: Wm. Scott Miller | last post by:
Hello all! We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice...
C# / C Sharp
9
Securing Code On My Laptop
by: Brian Russell | last post by:
I develop Web applications locally on my Windows XP (SP1) laptop using Visual Studio. My company is concerned about security, especially if the laptop is compromised, so I should either encrypt...
ASP.NET
2
Securing HTML pages using asp.net
by: Vaibhav Shah | last post by:
Hi, Can we secure HTML pages on a web site using asp.net? We have a requirement in which we want to display a login page before a visitor can view any HTML page on our website. WE have...
ASP.NET
7
Securing an Access Database from Unauthorized Access
by: judelakmal | last post by:
We have an access database installed in the server. Multiple users have been recieved rights to access the folder which contain that database. how can we stop accessing this shared folder by...
Microsoft Windows
10
Re: Advice on securing a sensitive Access database
by: Les Desser | last post by:
In article <fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes Not sure if I quite follow that. 1....
Microsoft Access / VBA
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!