Introduction
  Welcome
  What is FileUpEE?
  Features and Benefits
  Requirements
  Related Products

Quick Start
  Upload a File
  3-Tier Upload
  Download a File
  3-Tier Download

Features in Depth
  Uploading to a Database
  Downloading from a Database
  Resumable Uploading
  The Progress Indicator
  Large Uploads in ASP
  Standard FileUp Support
  SoftArtisans XFile
  SoftArtisans JFile
  Glossary

.NET Support
  Uploading in ASP.NET
  Large Uploads in ASP.NET

Samples
  Samples Index

Programmer's Reference
  Object Model
  FileUpEE Object
  FileCollection Object
  FileEE Object
  SoapEnvelope Object
  SoapHeaderElement Object
  SoapHeaders Object
  Progress Object

Installation
  Installing FileUpEE
  Removing FileUpEE
  FileUpEE Registry Keys
  Security Considerations
  Note for ISPs

External Links
  FileUpEE Web Site
  XFile Web Site
  JFile Web Site
  Technical Support
  SoftArtisans Home Page
  E-mail General Questions
  E-mail Technical Support
  Legal Information

Security Considerations
ASP Security Settings

In ASP, FileUpEE executes in a specific user context:

  • IUSR_MACHINENAME (The default anonymous user account)


    • OR

  • An authenticated user account

To allow uploads, the IUSR_MACHINENAME or authenticated user must have Read, Write, and Modify NTFS permissions for FileUpEE's temporary and destination folders. An upload's destination folder is set in code by DestinationDirectory, DestinationPath, or SaveAs. The temporary directory for an upload can be set in code by the property TempStorageLocation. If you do not assign a value to TempStorageLocation, uploads will be cached in the system's default directory for cached files, which is determined by the system environment variable TEMP.

To change the system's default directory for cached files, reset the TEMP environment variable, as follows:

  1. Open the Control Panel.
  2. Select System.
  3. Select the Advanced tab.
  4. Click Environment variables...
  5. Select TEMP from the System Variables list.
  6. Click Edit.
  7. Enter a new Variable Value, and click Ok.

In a 3 tier upload (client -> Web server -> file server) FileUpEE will use two temporary folders, one on the Web server and one on the file server. Both temporary folders require Read, Write, and Modify permissions for the anonymous or authenticated user.

Note: If UseMemory is set to True, FileUpEE will not write temporary files and it is not necessary to set permissions for a temporary directory.

Top

ASP.NET Security Settings

In ASP.NET, if impersonation is disabled - as it is by default - FileUpEE executes in the context of the ASPNET account or an authenticated user account. To allow uploads, the ASPNET account or authenticated user must have Read, Write, and Modify permissions for FileUpEE's temporary and destination folders. An upload's destination folder is set in code by DestinationDirectory, DestinationPath, or SaveAs. The temporary directory for an upload can be set in code by the property TempStorageLocation. If you do not assign a value to TempStorageLocation, uploads will be cached in the system's default directory for cached files, which is determined by the system environment variable TEMP.

To change the system's default directory for cached files, reset the TEMP environment variable, as follows:

  1. Open the Control Panel.
  2. Select System.
  3. Select the Advanced tab.
  4. Click Environment variables...
  5. Select TEMP from the System Variables list.
  6. Click Edit.
  7. Enter a new Variable Value, and click Ok.

In a 3 tier upload (client -> Web server -> file server) FileUpEE will use two temporary folders, one on the Web server and one on the file server. Both temporary folders require Read, Write, and Modify permissions for the ASPNET or authenticated user account.

If you enable impersonation, FileUp will execute in the IUSR_MACHINENAME or authenticated user context and you can set permissions as you would for ASP. Under ASP.NET impersonation is controlled in the .NET configuration file for your Web application - web.config or machine.config (For information about these files, see Installing FileUpEE for ASP.NET.). To enable impersonation, set impersonate to true in the identity node of the httpRuntime node of web.config or machine.config: 

	<identity impersonate="true" userName="" password=""/>
Note: If UseMemory is set to True, FileUpEE will not write temporary files and it is not necessary to set permissions for a temporary directory.

Top

The ISAPI Filter

The ISAPI filter caches request data before it is processed by ASP or ASP.NET.

FileUpEE's ISAPI filter writes to the hard drive as the local SYSTEM account, and can write to any directory on the server. The ISAPI filter temp directory must be on a local drive, not on a network shared drive, because the SYSTEM account does not have access to network drives.

The location of the temporary directory can be configured in the Windows registry. By default, the cache location is the system's default directory for cached files, which is determined by the system environment variable TEMP. To set a different ISAPI filter temp directory:

  1. Open the Start menu, and select Run.
  2. Enter regedit and click Ok.
  3. Open HKEY_LOCAL_MACHINE\SOFTWARE\SoftArtisans\FileUpEe\Parameters.
  4. Right-click IsapiTempDir and select Modify.
  5. In Value Data, enter the path and folder name.
To change the system's default directory for cached files, reset the TEMP environment variable, as follows:
  • Open the Control Panel.
  • Select System.
  • Select the Advanced tab.
  • Click Environment variables...
  • Select TEMP from the System Variables list.
  • Click Edit.
  • Enter a new Variable Value, and click Ok.

Top

General Guidelines
  • Don't allow write access to critical directories such as "C:\", "C:\WINNT", and "C:\WINNT\System32".

  • Do audit scripts to ensure that ASP developers are writing to correct locations.

  • Do audit scripts to ensure that an instance of FileUpEE is not created as an Application variable.

  • Do use the TempStorageLocation property to set an appropriate temporary directory. FileUpEE needs a file cache to function. If the TempStorageLocation property is not set, FileUpEE will use the default temporary directory of the system.

  • Don't prevent the IUSR_MACHINENAME account (for ASP) or the ASPNET account (for ASP.NET) from reading the system registry, especially the HKEY_CLASSES_ROOT hive.

  • Don't prevent the IUSR_MACHINENAME account (for ASP) or the ASPNET account (for ASP.NET) from reading FileUpEE.DLL or MimeClient.dll.

  • Don't leave the default Everyone-Everything permission on a publicly available Web server.

Top

Copyright © 2003, SoftArtisans, Inc.