>I have a large ASP.NET application running on Windows 2003 web server. Parts of the system serve up static files (pdfs, csv, excel, etc) that contain sensitive data. The files are created by certain processes in the system, are uploaded by users and administrators, and are obtained by some integrations with other systems.
>
>Where is the best (most secure, practical) place to store these file. I have been storing them outside of IIS and using .NET code to serve up the file when needed. This has been working fairly well but users have posed concerns about security of these sensitive files, since they are stored on a web server.
>
>It has been suggested to store them in the database, but I would rather not do that.
>
>Any ideas out there? Thanks!

For those files, you might want to make sure they cannot be pulled from a URL. Even if they are outside the IIS root, if you use a virtual path, the user might still want to pull them directly. What I do is to have the download process to copy the file into a temporary directory, when the user needs it, into a unique name. Then, I have a process which removes those files about 60 minutes for example, which should be enough time for the user to download it, unless the file is really big.

So, basically, you are always working with a copy of the master file and only for a temporary period. Thus, all those sensitive files are not accessible massively but only on request, with a generated unique name that only the user who does the hit can download.