security in passowrd proteced site and files

If i want to write a program where a user that needs to login can upload and download files (pdf's,word) but security is important ---
meaning i want the admin to be able to download the word or pdf but no user (without usernames and password to log into the program) to be able to find it by trying to type it's name under the domain.

I am planning to do this in asp & sqlserver as this way admins all over can access the files but I want all the info to be secure.
How can I do the thing with uploading and downloading files and what other security measures do I need to take?
There is not credit card info but personal info -- would there be any reason to purchase an ssl certificate?
What else can I do to keep it secure?

By default, upload files to a directory outside your wwwroot. Password-protect the directory.
Rename files as they are uploaded.
Keep their names in a password-protected database server.
Use a server-side component to manage file downloads, rather than creating a direct link to files.

The database is still the weakest link - it usually is - but if you're using a SQL Server database then there's a lot you can do to secure it, virtually and physically. And there should be no way then to get a list of files.

By default, upload files to a directory outside your wwwroot. Password-protect the directory.
Rename files as they are uploaded.
Keep their names in a password-protected database server.
Use a server-side component to manage file downloads, rather than creating a direct link to files.

The database is still the weakest link - it usually is - but if you're using a SQL Server database then there's a lot you can do to secure it, virtually and physically. And there should be no way then to get a list of files.


how do i password protect the directory? what kind of server side componenet for downloading.. can i do the uploading with aspupload -- is that secure.

What would you do to secure the sql server db?