Not Foolproof

By Jim Rapoza  |  Posted 2001-10-15 Print this article Print

Not Foolproof

Although Applock/Web keeps vandals from changing Web pages and content, it doesnt stop them from adding new pages. This makes it possible for attackers to add their own Web page and then direct users to it from a chat room or newsgroup. Anyone visiting this page would probably think it was legitimate, because it was being served from the companys Web server. If the added page has the same look and feel of the real Web pages on the site, this type of hack can be very successful.

Also, for a sites contributors to legitimately change the content, they need to first turn off AppLock/ Webs protection capabilities. This could be a needless bother for companies that change content regularly. It could also be a problem for sites that use a dynamic content management system but then serve the pages as static HTML.

Forcing an administrator to manually shut down AppLock/Web on a Web server before any change can be made effectively negates the benefits of a content management system. This means AppLock/Web is probably best suited for Web sites whose content remains fairly static.

However, when it comes to protecting content within the scope of its design, AppLock/Web does a very good job. In tests, the program looked for content on our Web server and locked it against unauthorized changes.

Once we entered our password (and the program enforces very strict password protocols), we could view all files on our servers and choose which ones to protect from changes.

It was impossible for us to change any content on the server, and we couldnt even access Microsoft Management Console for IIS while AppLock/Web was in lockdown mode. In addition, we tried several methods to disable AppLock/Web by shutting down services and processes but were unable to stop its protection of the server content.

Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr RapozaÔÇÖs current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel