Applying File-Level Security

It is important to remember that no matter what kind of security you set up, there is always the possibility that a malicious user can bypass it all by gaining access to the physical machine that hosts the Web application. For this reason you should make sure that the machine is in a secure location and that you restrict access to the files stored on it using the standard file-level security offered by the operating system.

In typical production environments, only a small number of administrative users are allowed to log on to server machines. All other users either have very limited access to the files and applications on the machine or, better yet, no access at all.

For example, with Microsoft IIS, by default only the "Internet guest user" needs access to the virtual directory. This is the account under which all file access occurs for Web applications. In this case, the Internet guest user needs the following privileges to the virtual directory: read, write, read and execute, list folder contents, and modify.

However, only the administrator of the Web server should have these privileges to the Admin folder in which the Web Administrator pages are located. When secured in this way, if users attempt to access the Administrator page, the application prompts them for the machine's administrator login ID and password.

In addition to the file-level security for the virtual directory and its contents, the Internet guest user also needs full control privileges to the Log folder in the MicroStrategy Common Files, located by default in C:\Program Files (x86)\Common Files\MicroStrategy. This ensures that any application errors that occur while a user is logged in can be written to the log files.

The file-level security described above is all taken care of for you when you install the ASP.NET version of MicroStrategy Web using Microsoft IIS. These details are just provided for your information.

If you are using the J2EE version of MicroStrategy Web you may be using a different Web server, but most Web servers have similar security requirements. Consult the documentation for your particular Web server for information about file-level security requirements.