Restrict files to server, or other solutions

Here's the issue, we have several hundred users who we share files with
through our IIS 6 server, using ColdFusion. We use a long numerical string
for the folders, but the end files are always the same. For example,
reports.pdf. The problem is, someone could try to guess another's file,
www.xyz.com/longnumberstring/reports.pdf. We'd prefer not to allow that.
One easy answer is to set permissions for the 500 different users or so and
restrict them.

An easier way would be to require them only to access the reports.pdf file
(and others) from the web interface. In other words, it would only respond
if called from a link on the server. So just typing in the URL substituting
out the longnumberstring still wouldn't do it. This idea came from one of
our programmers who assured me this was possible in unix with .htaccess. I
don't know if it is or not, and even so, that doesn't mean I can set that up
in IIS.

Are there any ideas on how to best set this up? We have probably close to
500 users, and each year this information changes so we may well be trapped
in creating this solution every year. The idea of right-clicking on 500
folders and setting permission 500 times, after creating those 500 accounts,
just isn't real appealing to me.

Thanks for any ideas on simplifying the process.

Re: Restrict files to server, or other solutions

Hi,

a) There is nothing magical about .htaccess that allows you to do this. All
you have available is HTTP, and what that protocol provides. Perhaps your
programmer is thinking of using .htaccess to ensure that the client is
sending the correct "Referer" header, but this is so trivial to spoof that
it really provides only a trivial level of protection

b) The correct way to do this, as you surmise, is to employ a robust
authentication and authorization system. Windows ACLs are one way to do this
(calcs.exe xcacls.exe etc). You shouldn't really need to do this via
Explorer. THere are command lines tools that allow you to automate the whole
process. Even better would be to integrate it into your report generation
process (i.e. whatever process generates these folders and files will set
the permissions as well via one of the CLI options available to you)

Cheers
Ken

"Ricki_Ricardo" wrote in message
news:249F330E-918E-4D21-A313-7ADCF17110B0@microsoft.com...
> Here's the issue, we have several hundred users who we share files with
> through our IIS 6 server, using ColdFusion. We use a long numerical
> string
> for the folders, but the end files are always the same. For example,
> reports.pdf. The problem is, someone could try to guess another's file,
> www.xyz.com/longnumberstring/reports.pdf. We'd prefer not to allow that.
> One easy answer is to set permissions for the 500 different users or so
> and
> restrict them.
>
> An easier way would be to require them only to access the reports.pdf file
> (and others) from the web interface. In other words, it would only
> respond
> if called from a link on the server. So just typing in the URL
> substituting
> out the longnumberstring still wouldn't do it. This idea came from one of
> our programmers who assured me this was possible in unix with .htaccess.
> I
> don't know if it is or not, and even so, that doesn't mean I can set that
> up
> in IIS.
>
> Are there any ideas on how to best set this up? We have probably close to
> 500 users, and each year this information changes so we may well be
> trapped
> in creating this solution every year. The idea of right-clicking on 500
> folders and setting permission 500 times, after creating those 500
> accounts,
> just isn't real appealing to me.
>
> Thanks for any ideas on simplifying the process.