Ok, thanks Paul. This is somewhat in conflict with feedback I have gotten from others indicating the security risks could be minimized. However we will take all this info and fold it into our final dispensation.

Bill

>>We have an ASP.NET application that requires uploading and storing of files. A developer here wants to place the upload attachment folder within the application physical folder structure associated with the virtual directories.
>>
>>I do not want to place it there due to the possibility of security issues. Are there accepted practices for the placement of application file upload folders? Is this documented anywhere?
>>
>>Thanks,
>>Bill
>
>Unless the files need to be directly accessible by other users (through IIS), then there isn't any reason to place them in a virtual folder (zero upside in that case, tons of downside). Yes, it's a security risk - you've just made those files available to any user, unless you're using Windows authentication (and each virtual folder where you're storing the files have different permissions for the user(s) that should have access to them).
>
>The other issue you should be aware of is file size problems (but upload files sizes and the storage amount on the server). When possible, I really like storing those files on a different drive. If you ever find yourself in the position where drive space is low, you don't want an end user to be able to upload a file which takes down your webserver (because you ran out of space on the drive it runs on). The other thing I will normally do is rename the file with a GUID and store off the original filename into a table. That keeps me from running into naming collisions.