Dave
Wed May 19 17:22:59 CDT 2004
wouldn't anything added to html or other simple text files on a web server
be visible to anyone doing a 'view source' on their browser? if all your
pages are asp or generated by some other script that may not be a problem.
i would recommend that instead of adding something to each file, which as
you correctly determined could be quite a job, that you instead do a crc or
checksum type signature of each file and save that for comparison later.
other things to think about are how do you sign graphics without potentially
breaking them for the various different web browsers out there, you might
find that adding a signature to a .gif works ok on one browser but breaks
another one... then what about jpg's, mpg's, shockwave or other special file
types?? each one may need a different type of signature addition mechanism
and may affect the usability of the site. where the checksum inventory type
of system has been used for many years for detecting corrupted or tampered
with files. you could even go one better and after creating the web site
burn it to a cd or dvd then when you want to audit your contents just
compare file by file to the backup... would give you instant recovery
capability by just copying the backup to the site.
"Lisa_at_work" <anonymous@discussions.microsoft.com> wrote in message
news:f6f901c43de6$f8a21240$a501280a@phx.gbl...
> One thing we have tried and had a bit of success with is
> to burn the www site onto a CD and use that CD as the
> virtual directory for the www site. This way we know that
> no one can modify anything. When we update the www site we
> simply burn a new CD and replace the one in the server
> with the new one. Unless a hacker can gain physical access
> to our www server we don't need to worry about files being
> replaced.
>
> However, this doesnt work as well in a eCommerce
> environment as it does in a static content environment.
>
> Additionally, the CD with the current www site on it is a
> good tool to have around for Disaster Recovery purposes...
>
> HTH
>
> Lisa
>
>
>
> >-----Original Message-----
> >We're looking to improve security on our webserver by
> checking each website directory perdically for files that
> have not been digitally signed by us.
> >
> >The decission to do this has come from someone above me
> but I need to go back with the following:
> >
> >How can you digitally signs files?
> >A website can potentially have thousands of files - can
> you batch sign all of them before uploading to the server?
> >Is this a practical approach or are their other methods
> we could employ to make sure no files have been uploaded
> without being digitally signed?
> >
> >Thanks
> >
> >.
> >