Beyond the security considerations discussed in the previous section, this section will be of particular interest to those hosting web sites, such as an Internet Service Provider (ISPs).
SA-FileUp is licensed on a per-server basis. There are no per-user, per-processor or per-concurrent upload license costs. If you are hosting multiple sites or clients on a single server, then every site or client on that server can instanciate SA-FileUp and start performing uploads.
If a single customer purchases SA-FileUp and wants you to install it on your server, it will automatically be available to all customers on that same server. If you would like to limit usage to only a single customer, see below.
When a customer is interested in SA-FileUp, many ISPs elect to purchase SA-FileUp on their behalf. There are several reasons for this:
- The ISP is directly supported by Software Artisans, Inc. rather than passing through the intermediary of their customer.
- The upload and secure download features of SA-FileUp are additional features that can be offered by the ISP to prospective customers.
- The price is reasonable.
An ISP customer cannot install SA-FileUp without the assistance of the ISP. Even if your customer transfers the SAFILEUP.DLL to your server, it still requires administrator access to register the DLL in the system registry. This is step 2 of the installation procedure.
As mentioned previously, by default SA-FileUp will be available to all customers hosted on your web site. With IIS4, it is possible to finely tune security settings on a per-virtual server or per-site basis. If you want to restrict usage of SA-FileUp to particular virtual servers or sites, you must use IIS4. The procedure is as follows:
- Create a specific NT account with "log on locally" rights.
- Using the IIS4 Microsoft Management Console, set the anonymous user for the chosen site to be the newly created account.
- Ensure that the NTFS permissions on SAFILEUP.DLL allow access by the newly created account only, and not IUSR_machine. This will prevent other users from instanciating SA-FileUp.
For maximum security, it would be prudent to occasionally audit your customer's ASP code. In particular, there are two items to be verified:
- That the destination of the uploads are in appropriate directories.
- That SA-FileUp is not instanciated as an ASP Application variable. Instanciating SA-FileUp as an Application variable is a security risk.