How do I keep secure files for download off the web server?

[kempis555]

I have been assigned to finish a website that lets people download sensitive files.

I've already implemented the precaution of using the Stream object to hide the PATH so that the URL and filename are hidden from the user. However, the files are being stored on a server behind the firewall, and are being accessed through a fileshare.

It seems to me that if the webserver were hacked, that fileshare will be compromised too. What's the easiest way to prevent this? I was thinking about saving the files as binaries in the database and serving up that way... but bleah ... that would require a total re-write of the existing file upload/download system.

Does anyone know of an easier method to secure the existing system?

thanks in advance,
-k

 

[kempis555]

I just thought of something, if the web server is compromised, then the hacker could get the SQL server username and password from the .ASP INCLUDE file which has the database access information. And then he could do what he wants with the files.


Is this an "equally screwed" situation, so I should take the easier route?

-k

 

[bhewi]

I don't know how much code you have written already but this is the exact same project I'm working on right now. I am using SSL on the web server and the ASPUpload component for the rest. It uses an access database. Using a DSN I have put the database on another server in a different zone on the firewall. Hopefully this will give you some ideas if nothing else.

Bryon

 

[kempis555]

Would that arrangement prevent the files from being accessed if the web server is hacked?

-k