Why Web Servers Are Not for Secure File Storage

One of the more common information security incidents is the inadvertent release of sensitive data via a public website. This often occurs when an individual with web-publishing rights saves one or more document into a web server directory thinking that it’s protected and not explicitly published.

The web publishing environment in most higher education institutions tends to be highly distributed. This distributed web environment is such that departments frequently manage their own web resources with their own staff. It is common to have hundreds of top-level websites containing numerous sub-site directories which are then managed by many people who have write-access to the web server.

The problem occurs when web publishers save files in their web directories not realizing that these documents and folders are public and can be viewed by anyone on Internet. They believe that just because you have to authenticate to save/upload the files that the files in the directory are also password-protected for web viewing. Every so often people use web directories as personal file storage to backup their PC or as a convenient file share.

For instance, a department has a website with a URL: http://www.university.edu/academics/.  A web overseer of that department saves an Excel spreadsheet called “grades.xlsx” in the web directory so their colleague can look at the file later. The file is immediately accessible to anyone on the internet to view under the following URL:  http://www.university.edu/academics/grades.xlsx.

The University Information Security Policy prohibits storage of files which contain any confidential or protected information on a publicly accessible web server. This would include files such as:

  • Student educational records including grades
  • Home addresses and phone numbers
  • Employment history
  • Performance evaluations
  • Social Security Numbers
  • Driver’s license numbers
  • Credit/Debit card numbers
  • Medical information and personally identifiable patient information
  • Financial records
  • Proprietary research data
  • Any other proprietary data that should not be shared with the public.

Even if you are putting your data on a web site temporarily, there is still a good chance that you will forget about it and a web crawler will find it.  The leading search engines, such as Google and Yahoo, use crawlers to find pages for their  search results.   Even so you may believe that no one knows the direct URL to your files, anything you put out on a public-facing web server can be quickly found and indexed by a search engine.  Sooner or later someone will  stumble upon a file containing confidential information in search results or, even worse,  a hacker will find it using Google hacking tools:  ” The dark side of Google’s power.”

A periodic review of review your departmental and personal websites will help you ensure no sensitive information is stored in your web directory.

What to do if you identify sensitive materials on a University web page

  • DO NOT IMMEDIATELY DELETE THESE FILES, rather…
  • Immediately contact the MU IT Service Desk (304) 696-3200 and the Office of Information Security
  • IT and Information Security staff will need to assist you in determining the ownership of the files, how long they have been accessible, and whether they have been recently accessed.
  • Once this has been documented, only then should the files be removed from the web server.
  • Additionally, we may also need to assist in contacting search providers to request removal of the sensitive materials from their cached search results.

What to do if you find sensitive information on your personal web page

  • Review the files in your web directory and be sure you understand how they came to be saved to a public location.
  • Delete any files which contain sensitive data.