See the official online handbook for more information about securing private files. The information about private files starts at the "Managing file locations and access" header.
Drupal provides configuration settings to control whether, and how, users and administrators can upload files for use by Drupal.
The setup page for File system path or Directory and Download method can be accessed by going to:
Administer > Site configuration > File system
The default Drupal setting for the File system path is sites/default/files. When you run across a text box in Drupal for specifying a directory to store files, generally the root is sites/default/files. It is good to have all files going to the files directory or directories within the files directory. Having your files in one place will make backups easier to accomplish.
The default Drupal Temporary directory is /tmp. This is where uploaded files will be stored during previews before saving.
The default Drupal Download method is Public - files are available using HTTP directly.
Note: Un-configured or improperly configured Drupal installations may display one or more error messages at the top of the "File system settings" page, indicating that either the "Temporary directory" or "File system path" directories do not exist and/or their permissions are not set properly. Simply create these directories and set their permissions so that Drupal can write and read from the directory.
Drupal creates these directories for you in most cases. Generally you can create directories using FTP(file transfer protocol) software such as Filezilla.
To create a directory, connect to your server with FTP, navigate to the location needed, right click, choose 'create directory' and give it a name. To set permissions for the directory, right click the directory and choose file permissions or properties.
If you are unsure about where or how to create directories or how to change their permissions, the best place to get help is in the Drupal forums. When posting in the Forum, please use a descriptive title for the post..