How & where to securely save DLL files on web server?

Posted on 2009-04-25
Last Modified: 2012-05-06
Hello Experts,
I recently set up a new virtual dedicated server using Windows Server 2008 Standard edition.  I have a basic question.  I would like to upload a DLL file to a secure location on server. I would like this file saved above the root folder to prevent the ability to download or access file.

1. Can you please tell me where to create a bin folder for dll files? Would something like this be recommended?

Bin folder created here:c:\inetpub\wwwroot\bin\
Website Directory created here: c:\inetpub\wwwroot\website1\

2. Once i create the folder and upload the file, are there any special instructions that i need to know to access that dll in my web page? For example, do i need to register it in any config files? Or anywhere in IIS manager on web server?  Or does IIS framework detect dll files automatically?

I hope my questions are clear. Simply put, I would like a primer on how / where to save DLL files and get them working in my web pages.

Question by:medokr
    LVL 31

    Expert Comment

    Wherever you do put it you need to prevent people browsing that directory if they inadvertantly type in the correct url for the directory.  A simple method of doing that is to put a dummy index file in that directory (e.g., index.html).  
    LVL 19

    Expert Comment

    I thought IIS would automaticlaly restrict access to the bin folder over http - are you finding this to not be the case?
    LVL 51

    Expert Comment

    OK, do you mean upload the DLL using HTTP or some other mechanism?  For one I'd never allow a DLL to be uploaded.  All it takes is one little mistake in the configuration or a snooper to realize it's possible and then they could change binaries on your server.

    By default DLL upload/downloads are completely blocked and for good reason.

    If you need to publish web applications to this server from a client server then use WebDAV and tightly restrict who can use WebDAV to only allow yourself or other developers the ability to publish to the web application folder.

    To be honest though, in the team I managed I wouldn't allow any of this.  The ONLY way we allow deploying production websites is by RDP access (by a select few) to the server, then we follow a tight set of guidelines to prepare a duplicate site with the new files, test it then activate it.

    Author Comment

    Thanks for responding!

    moorhouselondon: When using this method I can understand how that will work using a dummy index file. I imagine it could be a redirect file? But does that suggest that the folder is being used for something? Id rather no one know it exists and not tamper with folder. At this time, i dont believe this is the approach i would like to take. Thank you for suggestion.

    daveamour: My experience with IIS is very limited...a few days really. So thats why i am trying to make sure I understand some basics. Does your response suggest it is ok for DLL files to be saved in the directory used to store website files?  Or would it be more secure having it above the root of the website? If I dont save it above the root folder for the website, how do i check to make sure its not accessible? That is read permissions on folder itself? And that is managed in IIS correct?

    tedbilly: What i am trying to accomplish is setting up a new website which uses ASP.NET (VB). I currently use a shared server where i am not permitted to manage IIS. We are transitioning from the shared server to a virtual dedicated server where i am administrator. I am responsible for setting up things now.  

    I would like to understand how to secure files that shouldn't be available for our website users.  For right now that is only DLL files that I want to keep secure.  So I really was not sure how to accomplish this in IIS.  And based on my experience with my shared server i have used, the hosting company had the bin folder above the root folder for my website.  Is this not relevant to security and it was simply how they chose to setup folders on my account? Or is it a safe way to prevent website users from gaining access to files that should be secure?

    In response to your comments:
    You made interesting points. I am the only one that uses this server. It is for our company and no one else has access. We are not hosting other websites. And my DLL files are very simple. They only do the processing for building web page content. Nothing fancy. Is this approach not recommended or am i misunderstanding you?

    I will look into webdav soon. And RDP is same as  remote desktop connection used to connect to web server?

    LVL 51

    Accepted Solution

    By default Windows and IIS are built to maximize security.  That includes blocking upload/download of DLL's through any web protocols.  Any method other than RDP (Remote Desktop) to install/publish a website is less secure.

    Hosting companies take greater chances because they want to lower their cost, not make sure your site is safe and secure.  Don't copy their practices and assume it's a 'Best Practice'  You made the right move taking ownership of your own server, use it to your advantage.

    By default, .NET creates a BIN folder of DLL's.  Yes I would use it but I would NOT allow changes to it using FTP, HTTP, HTTPS or even WebDAV if you can avoid it.  It sounds like you can use RDP, so use it.  That is the safest way to deploy a new website.

    Authoring your own custom DLL's is fine, however I'd strongly recommend you follow best practices for deploying new production copies of a website.

    I've been managing web developers for about 12 years (building sites longer than that).  Based on experience here is how we do it.

    Each developer runs Windows Server on their own computer as a development operating system.  They run a localhost version of the web site that matches production as closely as possible.  This is to guarantee they are accurately mimicing production while they work.

    We have one shared 'Development/QA' server where we practice preparing completed work to make sure it's ready for customer use.  This is an even closer match to production without Visual Studio installed.  We are trying to create realistic conditions to ensure nothing was missed.  This is where our testing executed.

    We have a UAT (User Acceptance Testing) server or site, where we deploy a copy of the site that has passed testing to be reviewed by stakeholders to ensure it meets their expectation.  If it does, then it's ready to deploy to production.

    When we deploy we do NOT overwrite the existing site.  We setup a duplicate website using an alternate port like 8000.  We confirm the deployment is working then switch it to port 80 and leave the old site for a couple of days in case we have to do an emergency rollback.  It's like an 'Undo' for a website.

    Now all that seems like a lot of work but it's based on experience.

    Author Closing Comment

    Thank you for your help.
    LVL 19

    Expert Comment

    Does your response suggest it is ok for DLL files to be saved in the directory used to store website files?
    Yes that's safe and how it is normally done as far as I'm aware.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
    Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
    This video teaches viewers about errors in exception handling.
    The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now