Server Security

Hey all!

I'm building this website in ASP, and as i've been taught, I use relative paths to images and such. I also want to use the "<--#include virtual="filepath" -->" thing in my pages, so it's easier to correct structural changes that I maybe have to make in the near future (there are over 100 pages on this site - since I cannot use a database - and so it's easier to correct 1 file than 100 files).

But the people that will host the site have all relative paths disabled. Now is my question: Is it necessary to disable relative paths if you have NTFS security? You set your security on NTFS level, so if hackers would use the relative path thing to go through all the files on the server, they should not get access to any of the files, right? Or is the NTFS security not enough?

Thanks for reading and maybe answering...

My host allows relative paths, but they happen to know what they are doing. If you are casual with your server, closing off relative paths makes it easier to keep your server secure.

This hosting company is not known for putting a lot of work into anything, so that may explain it.... Thanks!

If you google you will find much information on this issue. If you use proper permissions and run each IIS website in it's own user context, parent paths are not a big risk, but if you run IIS in a single user context it's possible to include files from different websites if you can guess the physical path. You don't want to let the developer from website A include the global.asa file from website B, for example.