Solved

web apps uploaded files

Posted on 2013-12-02
15
327 Views
Last Modified: 2013-12-18
Our web development team are developing a web app to handle tenders for procurement exercises. They need to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share. What kind of security designs would you be looking for in your application here to accomplish this ? For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)? I am not a developer myself so please keep answers basic management friendly if possible.
0
Comment
Question by:pma111
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 7

Assisted Solution

by:dimmergeek
dimmergeek earned 125 total points
ID: 39690543
Instead of develeoping your own app, why not use SharePoint?  It is designed for exactly this.  Users can checkout docs, edit, modify and re-upload.  You will have a living docuent history with all revisions and know who made what changes when...
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 125 total points
ID: 39690578
For any web apps whereby users can upload content, how can you ensure if hasn't been tampered with, i.e. what the user has uploaded is what is resident on the web server (or wherever the uploaded document actually resides)?

If you have documents that you do not want the users to update, I would prevent them from uploading into that folder, give them read-only on that directory or those documents. If normal users cannot upload, then you simply have to look at the modified file timestamp to determine that it hasn't been altered.

You can't control what users do to the document when it is on their computer. It is no longer your document at that point, it is theirs. So preventing them from uploading is probably your best option.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690591
For apps that allow you to upload documents, is there typically a default folder where the files go to, say on a server running IIS, would there be default IIS folders where documents would reside, or is the folder where the document ends up totally dependant on the code of the application? I was thinking if the docs are uploaded to a server share i.e. default IIS folders, then anyone with access to those directories could also amend the files.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 18

Expert Comment

by:Jerry Miller
ID: 39690630
I wouldn't store documents on the web server. There should be a file share or FTP server used for this purpose. The file location can determined through code by the developers.

If you store files on the IIS server, and many of us have to due to budget concerns, create a folder for that purpose and only grant read permissions to all users except administrators.

If the application is still in design phase, you can have them explore role based authentication. This will allow them to determine a users access to a resource (page, folder, etc.) based on the authenticated users role in the system. This gives you some flexibility and provides security on a resource level.
0
 
LVL 31

Accepted Solution

by:
Paul Sauvé earned 125 total points
ID: 39690639
Another solution is to have those who tender offers digitally sign the Word document.

Digitally Sign Microsoft Office DocumentsProve document origin, add approval signatures, and prevent tampering
A digital signature is the virtual equivalent of a wet ink signature, carrying the signer’s identity and assuring the reader of the document’s integrity.

Placing a digital signature on a document proves the information originated with the signer and has not been altered, allowing secure electronic document workflows to replace tedious, paper-based processes.
0
 
LVL 3

Author Comment

by:pma111
ID: 39690644
Thanks jmiller1979 - is access to what users can do with uploaded documents (i.e. read only, modify etc) configured somewhere within IIS? Or do the actual windows NTFS permissions transfer to the application itself? I was never sure how the servers file system, app and IIS tie up together when it comes to access control?
0
 
LVL 3

Author Comment

by:pma111
ID: 39690659
paulsauve - where does the digital signature take place? Is this done with special software before you upload the document? Or is this something that takes place on the web server itself, and sends perhaps like a digital receipt to the uploader?

I was just a bit unsure how the uploader would know if their document had been edited, and how easy it would be to spot that the document had been edited? Or how a process would work so that the procurement team could demonstrate at a later date they hadn't amended the actual content of the document, if say they downloaded the document and saved it to an NTFS share with all the other tender documents .
0
 

Assisted Solution

by:bunnyville
bunnyville earned 125 total points
ID: 39690705
I cannot imagine why you'd want to store files on the IIS servers themselves with documents that sensitive. I would agree with  dimmergeek that SharePoint is built to do this very sort of thing and handle security as well.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39690781
It is incumbent upon the author of the document to procure a digital signature, also called a Security Certificate, and insert it in the document before sending it.

You can add this as a requirement to those who tender offers. IMHO, it is really the only way to assure the integrity of a document. I would attach a Word doc, but my email address will show up... See my profile.....
0
 
LVL 3

Author Comment

by:pma111
ID: 39690804
Any particular view Paulsauve why the sharepoint type application and access control is less secure than the digital signature option?
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39690899
SharePoint can handle everything being discussed here, require no application development and can be deployed right away in you Microsoft shop.  Additionally, you get support from MS, as opposed to growing pains of developing an app and needing to manage/support it yourself.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691088
My understanding of your problem is: to be able to demonstrate the uploaded tenders (word documents) have not been tampered with either when sat in the application or when the word document is dragged off the app onto a network share.

My view is that if you DON'T have SharePoint, a digitally signed document is obviously an easier path than developing or purchasing software. And it will be up to those submitting documents to assure that the docs are digitally signed. These certificates foe MS documents can be had for less than $100 per year! Digital Signatures for Word Documents
0
 
LVL 7

Expert Comment

by:dimmergeek
ID: 39691093
paulsauve, that is a great solution, but still requires the user to perform the action of attaching the signature.  You're still relying on a human to do as he/she is asked.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 39691103
If a supplier wants to do business with you and digitally signed documents are a requirement to get in the door, then they will most likely comply with the requirement.

But, obviously, this is not the ONLY solution - it's the solution I suggested.
0
 

Expert Comment

by:bunnyville
ID: 39691472
Agree with paulsuave
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now