I’m looking at the possibility of using the BITS (Background Intelligent Transfer Service) to move packets of private data from a central server to individual client machines. BITS, for those who haven’t messed with it, is a really useful service built in to XP and Windows Server 2003 (and available for download for Win2K) that manages background downloading and uploading of data. It is used by Windows Update, and APIs are available for any application to use it as well.
Cool beans for downloading an automatic update for your application, or for getting an updated data file for your virus scanner. Even good for applications to share things like domain data (drop-down lists that change infrequently). It is fine for secure download, since it supports transfer over HTTPS, but doesn’t do any verification of the content on the client end… that is up to you. A few gotchas for secure upload as well, since the temporary file that the data is uploaded into has to be kept secure by code or configuration that is outside of BITS. Still, a pretty darn useful tool.
Thing is: if I want to create a COLD report on a server, containing large amounts of private data, and download it to a client workstation, using BITS appears problematic. This is outside of the intent of the service, I know. I’m just wondering if the visible obstacles would be hard to overcome. This includes things like controlling access to the file on the server (since the web site in question does not, as of yet, use Active Directory to control access… so there are no group ACLs that I can use. On the surface, this means that each COLD report is essentially available to everyone… bad for security), and informing the server that the transfer is complete (a web service… I suppose).
Even with HTTPS transfer, we’d need to add bits to insure that the data arrives secure, intact and unaltered. Not necessary for downloads of an application update or a virus file, but pretty darn necessary for private data files.
I’ll post a blog entry if I find anything that helps with securing the server file. I suppose I could write an HTTP Filter that checks a SQL database for authentication before allowing access to static content… (sounds like an excuse to fire up MSN Search…). If you have suggestions, please post a reply.