Mobile app version of vmapp.org
Login or Join
Sarah324

: Ensuring secure downloads for IIS One of my customers wants to make sure that when someone downloads a file from their website the file being downloaded is secure from third parties capturing

@Sarah324

Posted in: #AspNet #Https #Iis

One of my customers wants to make sure that when someone downloads a file from their website the file being downloaded is secure from third parties capturing the downloaded information. Their site is IIS and is using a SSL certificate.

My question is, are there any other issues I need to be aware of, or, is this enough to protect their customers whom download these files?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Sarah324

1 Comments

Sorted by latest first Latest Oldest Best

 

@Ann8826881

Using an SSL certificate will encrypt the communication between client browsers and your website. Depending on how serious your client is about security, two questions that you might want to further consider for downloads are:

1). Can a hacker replace download files with deleterious ones?

If the files are added to your site via FTP or share a common directory with it, then you'll want to spend some time making sure that's secure. The following list of articles might be helpful:
How Do I Configure FTP Security in IIS?

If files are uploaded to your server through server-side scripts or applications, then you'll want to make sure that those are secure as well. This is dependent on the script/application that you use - search for common exploits for those.

You'll also want to make sure access to your server through Remote Desktop Services is disabled unless needed: Disabling Remote Desktop Services features

Lastly, you might want to review other areas of security for IIS: Configuring Security

2). Is the file downloaded the same as the original one?

Some sites list an MD5 or SHA1 hash value of files so that users can verify that the file hasn't been modified. See this for more on that:
Microsoft - How to compute the MD5 or SHA-1 cryptographic hash values for a file

Clients can then use the File Checksum Integrity Verifier (FCIV) utility (or other similar tool) to verify the hash value, as available for download and discussed here:
Microsoft - Availability and description of the File Checksum Integrity Verifier utility

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme