To elaborate a bit on this point, I'd like to know how secure are documents hosted on an IIS website with the following configuration:
- IIS Directory Listing Disabled
- Anonymous Access is Enabled
- Site is accessed via HTTPs only
- Files have very long, randomly generated names (similar to a guid plus other characters)
I believe that this is a relatively secure setup (I understand its not as secure as truly authenticated access.) I would like to know if I'm seeing this big wall yet it would be easily circumvented by someone with more knowledge than myself.
I guess what I'm looking for are ways one could get around the setup I have outlined above.
Insecure. You are relying on Security through Obscurity, which is never a good idea. If someone guesses your file names (or your "random" names aren't random enough and someone can derive what the names are after seeing one name) they can grab the files.
That being said, the level of security may be appropriate for what you're trying to do. Without knowing how sensitive your data is it's impossible to day for sure.
While most people won't publicly admit it, many websites are setup using an approach similar to yours. You basically are using the filenames as passwords. Anyone that knows the password can access the file, but unless a vulnerability is found in IIS or some other side channel attack is used, your files cannot be accessed remotely without knowing the correct "password".
You mentioned using HTTPS, which means that the URLs will be encrypted and not visible via a packet sniffer. However, any clients that receive the URL are free to share that URL with the world. If Google ever gets a hold of a link to your files, they will instantly become publicly available (even cached if they are HTML/TXT/PDF/DOC format). You can try preventing this by changing your robot.txt file to prohibit crawling but even that cannot guarantee that the files will not be made publicly available.
Since the file name is your only access control mechanism, you should make sure that it meets minimum complexity requirements. I'd recommend at least 10-20 random characters, which would limit the effectiveness of a brute force attack. Also, you may want to consider periodically changing the file names, just like you would periodically change your password. Also you may want to adjust the local NTFS file permissions on the folder to prevent anyone but system administrators and the IIS/ASP.NET accounts from accessing that folder.
In this case your files would meet an acceptable level of security, but would still be susceptible to attacks that would be prevented by normal username/password authentication. Simple things like a client's browser history, toolbar, and extensions would all have access to the URLs that they visit, so if your files contain state secrets or federally protected information (medical records, credit card numbers, etc) you probably want to add a bit more security.