Solved

web apps uploaded files

Posted on 2013-12-02
15
323 Views
Last Modified: 2013-12-18
Our web development team are developing a web app to handle tenders for procurement exercises. They need to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share. What kind of security designs would you be looking for in your application here to accomplish this ? For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)? I am not a developer myself so please keep answers basic management friendly if possible.
0
Comment
Question by:pma111
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 7

Assisted Solution

by:dimmergeek
dimmergeek earned 125 total points
ID: 39690543
Instead of develeoping your own app, why not use SharePoint?  It is designed for exactly this.  Users can checkout docs, edit, modify and re-upload.  You will have a living docuent history with all revisions and know who made what changes when...
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 125 total points
ID: 39690578
For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)?

If you have documents that you do not want the users to update, I would prevent them from uploading into that folder, give them read-only on that directory or those documents. If normal users cannot upload, then you simply have to look at the modified file timestamp to determine that it hasn't been altered.

You can't control what users do to the document when it is on their computer. It is no longer your document at that point, it is theirs. So preventing them from uploading is probably your best option.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690591
For apps that allow you to upload documents, is there typically a default folder where the files go to, say on a server running IIS, would there be default IIS folders where documents would reside, or is the folder where the document ends up totally dependant on the code of the application? I was thinking if the docs are uploaded to a server share i.e. default IIS folders, then anyone with access to those directories could also amend the files.
0
 
LVL 18

Expert Comment

by:Jerry Miller
ID: 39690630
I wouldn't store documents on the web server. There should be a file share or FTP server used for this purpose. The file location can determined through code by the developers.

If you store files on the IIS server, and many of us have to due to budget concerns, create a folder for that purpose and only grant read permissions to all users except administrators.

If the application is still in design phase, you can have them explore role based authentication. This will allow them to determine a users access to a resource (page, folder, etc.) based on the authenticated users role in the system. This gives you some flexibility and provides security on a resource level.
0
 
LVL 31

Accepted Solution

by:
Paul Sauvé earned 125 total points
ID: 39690639
Another solution is to have those who tender offers digitally sign the Word document.

Digitally Sign Microsoft Office DocumentsProve document origin, add approval signatures, and prevent tampering
A digital signature is the virtual equivalent of a wet ink signature, carrying the signer’s identity and assuring the reader of the document’s integrity.

Placing a digital signature on a document proves the information originated with the signer and has not been altered, allowing secure electronic document workflows to replace tedious, paper-based processes.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690644
Thanks jmiller1979 - is access to what users can do with uploaded documents (i.e. read only, modify etc) configured somewhere within IIS? Or do the actual windows NTFS permissions transfer to the application itself? I was never sure how the servers file system, app and IIS tie up together when it comes to access control?
0
 
LVL 3

Author Comment

by:pma111
ID: 39690659
paulsauve - where does the digital signature take place? Is this done with special software before you upload the document? Or is this something that takes place on the web server itself, and sends perhaps like a digital receipt to the uploader?

I was just a bit unsure how the uploader would know if their document had been edited, and how easy it would be to spot that the document had been edited? Or how a process would work so that the procurement team could demonstrate at a later date they hadn't amended the actual content of the document, if say they downloaded the document and saved it to an NTFS share with all the other tender documents .
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Assisted Solution

by:bunnyville
bunnyville earned 125 total points
ID: 39690705
I cannot imagine why you'd want to store files on the IIS servers themselves with documents that sensitive. I would agree with  dimmergeek that SharePoint is built to do this very sort of thing and handle security as well.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39690781
It is incumbent upon the author of the document to procure a digital signature, also called a Security Certificate, and insert it in the document before sending it.

You can add this as a requirement to those who tender offers. IMHO, it is really the only way to assure the integrity of a document. I would attach a Word doc, but my email address will show up... See my profile.....
0
 
LVL 3

Author Comment

by:pma111
ID: 39690804
Any particular view Paulsauve why the sharepoint type application and access control is less secure than the digital signature option?
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39690899
SharePoint can handle everything being discussed here, require no application development and can be deployed right away in you Microsoft shop.  Additionally, you get support from MS, as opposed to growing pains of developing an app and needing to manage/support it yourself.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691088
My understanding of your problem is: to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share.

My view is that if you DON'T have SharePoint, a digitally signed document is obviously an easier path than developing or purchasing software. And it will be up to those submitting documents to assure that the docs are digitally signed. These certificates foe MS documents can be had for less than $100 per year! Digital Signatures for Word Documents
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39691093
paulsauve, that is a great solution, but still requires the user to perform the action of attaching the signature.  You're still relying on a human to do as he/she is asked.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691103
If a supplier wants to do business with you and digitally signed documents are a requirement to get in the door, then they will most likely comply with the requirement.

But, obviously, this is not the ONLY solution - it's the solution I suggested.
0
 

Expert Comment

by:bunnyville
ID: 39691472
Agree with paulsuave
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now