• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

web apps uploaded files

Our web development team are developing a web app to handle tenders for procurement exercises. They need to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share. What kind of security designs would you be looking for in your application here to accomplish this ? For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)? I am not a developer myself so please keep answers basic management friendly if possible.
0
pma111
Asked:
pma111
  • 4
  • 4
  • 3
  • +2
4 Solutions
 
dimmergeekCommented:
Instead of develeoping your own app, why not use SharePoint?  It is designed for exactly this.  Users can checkout docs, edit, modify and re-upload.  You will have a living docuent history with all revisions and know who made what changes when...
0
 
Jerry MillerCommented:
For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)?

If you have documents that you do not want the users to update, I would prevent them from uploading into that folder, give them read-only on that directory or those documents. If normal users cannot upload, then you simply have to look at the modified file timestamp to determine that it hasn't been altered.

You can't control what users do to the document when it is on their computer. It is no longer your document at that point, it is theirs. So preventing them from uploading is probably your best option.
0
 
pma111Author Commented:
For apps that allow you to upload documents, is there typically a default folder where the files go to, say on a server running IIS, would there be default IIS folders where documents would reside, or is the folder where the document ends up totally dependant on the code of the application? I was thinking if the docs are uploaded to a server share i.e. default IIS folders, then anyone with access to those directories could also amend the files.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Jerry MillerCommented:
I wouldn't store documents on the web server. There should be a file share or FTP server used for this purpose. The file location can determined through code by the developers.

If you store files on the IIS server, and many of us have to due to budget concerns, create a folder for that purpose and only grant read permissions to all users except administrators.

If the application is still in design phase, you can have them explore role based authentication. This will allow them to determine a users access to a resource (page, folder, etc.) based on the authenticated users role in the system. This gives you some flexibility and provides security on a resource level.
0
 
Paul SauvéRetiredCommented:
Another solution is to have those who tender offers digitally sign the Word document.

Digitally Sign Microsoft Office DocumentsProve document origin, add approval signatures, and prevent tampering
A digital signature is the virtual equivalent of a wet ink signature, carrying the signer’s identity and assuring the reader of the document’s integrity.

Placing a digital signature on a document proves the information originated with the signer and has not been altered, allowing secure electronic document workflows to replace tedious, paper-based processes.
0
 
pma111Author Commented:
Thanks jmiller1979 - is access to what users can do with uploaded documents (i.e. read only, modify etc) configured somewhere within IIS? Or do the actual windows NTFS permissions transfer to the application itself? I was never sure how the servers file system, app and IIS tie up together when it comes to access control?
0
 
pma111Author Commented:
paulsauve - where does the digital signature take place? Is this done with special software before you upload the document? Or is this something that takes place on the web server itself, and sends perhaps like a digital receipt to the uploader?

I was just a bit unsure how the uploader would know if their document had been edited, and how easy it would be to spot that the document had been edited? Or how a process would work so that the procurement team could demonstrate at a later date they hadn't amended the actual content of the document, if say they downloaded the document and saved it to an NTFS share with all the other tender documents .
0
 
bunnyvilleCommented:
I cannot imagine why you'd want to store files on the IIS servers themselves with documents that sensitive. I would agree with  dimmergeek that SharePoint is built to do this very sort of thing and handle security as well.
0
 
Paul SauvéRetiredCommented:
It is incumbent upon the author of the document to procure a digital signature, also called a Security Certificate, and insert it in the document before sending it.

You can add this as a requirement to those who tender offers. IMHO, it is really the only way to assure the integrity of a document. I would attach a Word doc, but my email address will show up... See my profile.....
0
 
pma111Author Commented:
Any particular view Paulsauve why the sharepoint type application and access control is less secure than the digital signature option?
0
 
dimmergeekCommented:
SharePoint can handle everything being discussed here, require no application development and can be deployed right away in you Microsoft shop.  Additionally, you get support from MS, as opposed to growing pains of developing an app and needing to manage/support it yourself.
0
 
Paul SauvéRetiredCommented:
My understanding of your problem is: to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share.

My view is that if you DON'T have SharePoint, a digitally signed document is obviously an easier path than developing or purchasing software. And it will be up to those submitting documents to assure that the docs are digitally signed. These certificates foe MS documents can be had for less than $100 per year! Digital Signatures for Word Documents
0
 
dimmergeekCommented:
paulsauve, that is a great solution, but still requires the user to perform the action of attaching the signature.  You're still relying on a human to do as he/she is asked.
0
 
Paul SauvéRetiredCommented:
If a supplier wants to do business with you and digitally signed documents are a requirement to get in the door, then they will most likely comply with the requirement.

But, obviously, this is not the ONLY solution - it's the solution I suggested.
0
 
bunnyvilleCommented:
Agree with paulsuave
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now