Protecting the Setup Folder During Upgrade

Author
APGvNext Sam
vNext Dev
  • Total Posts : 13240
  • Joined: 2001/05/23 00:00:00
  • Status: offline
2013/05/20 02:40:11 (permalink) Setup
0

Protecting the Setup Folder During Upgrade

If you are concerned about the security of the setup program during upgrade, rest assured that the only action the setup program can do is execute one SQL script, the upgrade script, against your db.
 
In other words, the setup program that comes with the upgrade package does not contain the full installation / uninstallation / full-text index scripts.
 
And the upgrade script can only be executed once, so once you execute it, the setup program becomes useless. If you follow the upgrade instruction, you will then delete the setup folder meaning no one will be able to access it any more.
 
If you still are concerned, you can use forms authentication + Authorization to protect the ~/setup folder:
 
Step 1: Manually create a web.config file (empty)
 
Step 2: Add the following to the web.config file you just created:
<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="Samuel" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

Step 3: Change "Samuel" to your forum's system admin user name (not screen name). Make sure you are logged in as the system admin.
 
Step 4: Save and upload the web.config to the ~/setup folder
 
Step 5: The setup folder will now be only accessible to you.
#1
Jump to:
© 2021 APG vNext Commercial Version 5.5