Setting Appropriate Security

SA-FileUp executes in a specific user context: IUSR_machine, or an authenticated NT domain login.

Note: There is a known problem in Internet Explorer version 3.02. When performing uploads with NT Challenge/Response Authentication, the browser will report an error of "Could not open site. TBS". There are two solutions to this problem:

1. If you will not be upgrading to IE V4, turn off NT Challenge/Response using the Internet Service Manager, or
2. Upgrade to IE V4 which solves this problem entirely.

For more information about this bug, see Microsoft Knowledge Base article Q169546.

It is the responsiblity of the System Administrator to ensure that NTFS permissions are set correctly so that users performing uploads do not interfere with proper operation of the web server.

The second largest source of our support questions is security (the first is Installation problems). Fortunately, most problems occur because security is too restrictive and SA-FileUp cannot function, rather than interference occuring.

Here are some general guidelines:

• Do prevent write access to critical directories such as "C:\", "C:\WINNT"
• Do audit scripts to ensure that ASP developers are writing to correct locations.
• Do audit scripts to ensure that SA-FileUp is not instanciated as an Application variable.
• Do use the .Path property to set an appropriate file system path to contain the upload cache. SA-FileUp needs a file cache to function. If the .Path property is not set, SA-FileUp will use the default temporary directory of the system, which is typically C:\TEMP. Ideally, use the Path property in all of your web applications and allow IUSR_machine to write to your specific upload directory. As an alternative, ensure that the system temporary directory can be written to by IUSR_machine.
• Don't prevent the IUSR_machine account from reading the system registry, especially the HKEY_CLASSES_ROOT hive.
• Don't prevent the IUSR_machine account from reading the SAFILEUP.DLL file.
• Don't leave the default Everyone-everything permission on a publicly available web server.

Since SA-FileUp is entirely controlled by server-side script, it is unlikely that a user with a browser could interfere with the operation of a web server.

Rather, the responsibility of secure and stable operation falls on the developer of the scripts and the administrator of the system.