File manager website Free Installation assistance Manual Home page

Security notes

This page contains a number of things you can do to help you secure the HTTP Commander installation. Take them into account in the course of installing and configuring the product.

• NTFS permissions

  The NTFS permission section contains detailed information about what permissions are required for proper operation of the application. It is recommended that you look through that section after installation is completed.

  The most important facts about NTFS permissions are summarized in the following statements.

  • The HTTP Commander installation directory requires only Read permissions, with a few exceptions. The exceptions are: HttpCommanderSettings.config, web.config files and Data folder. These files require Read and Modify permissions. Do not grant Modify or more powerful permissions to other files. They are never modified in the process of normal operation of application.
  • The maximum permission you need assign to files in HTTP Commander installation folder is Read and Modify. No file or folder requires Full Control permission.
  • Instead of granting Modify permission to the Data folder you may grant that permission to individual .xml files contained in that folder. The application does not need to create additional files in the Data folder, it only need to modify existing data files.
  • Normally you should grant Read and Modify permissions to user data folders, but again Full Control permission is an overkill.

• Location of the Data folder

  By default the Data folder is located in the HTTP Commander installation directory. You may move it to a different folder outside the web site using DataFolderPath parameter. The security implication of moving the Data folder is that you have fewer modifiable files in the application installation folder. An additional benefit, no one can download your configuration files via http.

• Prevent retrieving configuration files

  HTTP Commander stores configuration data on the server in a number of files. For security reasons, it is recommended to prevent users from retrieving them, since they expose sensitive information about the application. The configuration files are: web.config, HttpCommanderSettings.config, .xml file in Data folder. For configuration details see How to protect configuration files (prevent them to be retrieved by users)?.

• Clear text passwords Accounts.xml file

  In the Forms authentication mode HTTP Commander stores the passwords of all registered users in the Accounts.xml file. Enable HashUserPasswords settings to prevent storing clear text password in the configuration file. Clear text password will be replaced with irreversible password hashes.

• Location of user data folders

  Do not place the user data folder in the HTTP Commander installation directory or in any other folder that IIS exports. Publishing IIS exported folders for upload opens a severe security hole in your server protection. You allow users to upload and execute arbitrary code on the server.

  HTTP Commander distribution publishes DemoFolder inside installation folder. This configuration is insecure, it was provided to demonstrate application abilities. You should remove this folder as soon as possible and definitely before you move to an enterprise environment.

  If security considerations are not that important to you, for example, things you might consider insignificant in a test environment, take into account that certain user manipulations of files in an IIS exported folder results in application domain restart, that is restart of the HTTP Commander application. IIS 7 and later monitors the ASP.NET application folder and restarts the application domain when a folder is removed, or files with predefined names are created or modified. See here for details.

• HTTPS protocol

  It is strongly recommended to install a certificate on the web server and configure https protocol. It might be best to require users to always use https protocol instead of http. Applying the https protocol is especially important when basic authentication is used. In the basic authentication scheme, user credentials are sent in plain text over the network. An ill-minded person with sniffer software could easily steal the credentials.

• TCP ports

  HTTP Commander operates over http and https protocols. These protocols are normally bound to port 80 and 443 respectively. Make sure these ports are opened in the server firewall for inbound connections. No other ports are need for inbound access. Note the application may establish a number of outbound connections with domain controllers, file servers in your network, etc.

• Accounts

  HTTP Commander executes code in the security context of a number of accounts on the server. Note that the application does not require any special account to operate. See NTFS permissions section for details of how detect what each account type is.

  • Application pool account. That is typical security context in Forms, Novell EDirectory authentication mode. It is occasionally used in other authentication modes.
  • Anonymous user. This identity is used to run code when no specific user is authenticated, for example logon and logout pages are processed in this security context.
  • End user identity. That is identity of the end user. It is used in Windows and "Forms with Windows users" authentication modes.
  • Special anonymous identity. You need to configure a special identity that is used to serve public links, access from web services, etc. That is when the application is required to provide access to protected files for anonymous users.

• Diagnostics only for administrators

  The Diagnostics.aspx page shows various information about HTTP Commander, the server machine, security context, etc. By default, this information is available to any authenticated user of the application. This information may be very helpful in troubleshooting problems related to HTTP Commander, but it exposes sensitive information about the server and HTTP Commander installation. We recommend that you restrict access to the diagnostics page after completing the configuration process. Set ShowDiagnosticsASPXOnlyForAdmins parameter to true to restrict the range of users who are allowed to view this page to administrators only.

• Folder list restrictions

  HTTP Commander supports a number of settings that control what files and folders to display in WUI. They are

  • HTTP Commander permission: ListFiles, ListFolders, ListRestriction.
  • Settings: Main/HideFilesWithAttributes, Main/HideFilesStartingWithDot.

  All these settings apply only to folder listing function. They do not actually prohibit access to hidden files and folders. For example, if ListRestriction permission hides files with .exe, .com and .but extensions, these files will not be shown in main UI, but you are still allowed to copy, rename, download, delete these files (subject to other HTTP Commander permissions). The HTTP Commander WUI interface does not allow the user to manipulate the hidden files, but the user agent (web browser) can perform any allowed operation on files and folders whether they are shown or not. To perform an operation, user agent would just have to compose the appropriate request and send it to the server the same way it does in response to user actions in web browser.