| Groups | Blog | Home |
iis security : automating user security
restrictied documents in a folder, we create the user name and password (using Windows built-in security) and then mail it back to them. We now want users to be able to create their own names and passwords. What is the best way to provide password protected folders (available only for authenticated users) and at the same time allowing users to create their own accounts and passwords. I know I can do it all with asp but I wondered if there was a simpler way to do it. Any help would be greatly appreciated. Thanks
Thanks for the somewhat un-helpful response.
To clarify: I assumed we could let them create a name and password and then put them in a group with limited access. I had no intention of giving them access to everything. Simpler like - not having to have an administrator enter the names and passwords of 8,000 users but trying to automate the process without our direct involvement. Regarding a single login, gee what would we do change it every day when someone leaves??? At last you said something useful and helpful - too bad it wasn't all you said: "If you want to give users specific access and control it, you can't really give them the ability to do it themselves." I don't understand why the sarcastic response at the begining - I guess with you there are always stupid questions. Bill [quoted text, click to view] "Jeff Cochran" wrote:
> On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill > Taylor@discussions.microsoft.com> wrote: > > >Currently our user base is small and someone emails us to have acces to > >restrictied documents in a folder, we create the user name and password > >(using Windows built-in security) and then mail it back to them. > > > >We now want users to be able to create their own names and passwords. > > Isn't that about as effective as just giving them access to everything > to begin with? > > >What is the best way to provide password protected folders (available only > >for authenticated users) and at the same time allowing users to create their > >own accounts and passwords. > > > >I know I can do it all with asp but I wondered if there was a simpler way to > >do it. > > Simpler like what? You could make them all administrators. You could > give them all a single login. But if you want to give users specific > access and control it, you can't really give them the ability to do it > themselves. > > If you choose to, you may find an ASP script already written that you > just need to modify, try aspin.com or Google. And post in an ASP > group if you're stuck there. > > Jeff
[quoted text, click to view]
"Bill Taylor" <BillTaylor@discussions.microsoft.com> wrote in message news:C5CC19C1-7528-4AE5-B902-60542AC0F19A@microsoft.com... > Thanks for the somewhat un-helpful response. > > I don't understand why the sarcastic response at the begining - I guess with > you there are always stupid questions. In defense of Jeff (because he often gives excellent advice) this just shows the limitations of written communications. While I see how you could take his comments as sarcastic, I did not read them that way. Knowing Jeff, I just saw them as more "matter of factual" in tone.
On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill
[quoted text, click to view] Taylor@discussions.microsoft.com> wrote: >Currently our user base is small and someone emails us to have acces to >restrictied documents in a folder, we create the user name and password >(using Windows built-in security) and then mail it back to them. > >We now want users to be able to create their own names and passwords. Isn't that about as effective as just giving them access to everything to begin with? [quoted text, click to view] >What is the best way to provide password protected folders (available only >for authenticated users) and at the same time allowing users to create their >own accounts and passwords. > >I know I can do it all with asp but I wondered if there was a simpler way to >do it. Simpler like what? You could make them all administrators. You could give them all a single login. But if you want to give users specific access and control it, you can't really give them the ability to do it themselves. If you choose to, you may find an ASP script already written that you just need to modify, try aspin.com or Google. And post in an ASP group if you're stuck there.
On Fri, 4 Feb 2005 11:01:08 -0800, "Bill Taylor"
[quoted text, click to view] <BillTaylor@discussions.microsoft.com> wrote: >Thanks for the somewhat un-helpful response. Sorry you see it that way. [quoted text, click to view] >To clarify: > >I assumed we could let them create a name and password and then put them in >a group with limited access. I had no intention of giving them access to >everything. > >Simpler like - not having to have an administrator enter the names and >passwords of 8,000 users but trying to automate the process without our >direct involvement. You said your user base was small... [quoted text, click to view] >Regarding a single login, gee what would we do change it every day when >someone leaves??? I'm still unclear. If a user can create their own login, what difference is it if they use a common one? Are you going to manage 8,000 accounts for deleting them but not creating them? Or if you need this in 8,000 individual logins, assign the permissions to a group and put all users in that group. Unless the 8,000 users don't have any accounts at all to start with, and you simply want to allow them to create a new account, but then we're back to having no real security again. [quoted text, click to view] >At last you said something useful and helpful - too bad it wasn't all you >said: > >"If you want to give users specific access and control it, you can't really >give them the ability to do it themselves." > >I don't understand why the sarcastic response at the begining - I guess with >you there are always stupid questions. Not always, usually just incorrect assumptions. Okay, let's start again. You can do this, if you wish, in several ways. It's not difficult, and not secure by any means. It also depends on how many accounts you want to have. One method would be to run an ASP (or ASP.NET) app under an administrative account context, using ADSI to create and populate user accounts. Another might be to create a text file based on a user's input of name/password and run a scheduled command line to add the user and set home directory, add permissions, etc. A third would be to take this entirely out of the Windows authentication methods and use your own database of users and access restrictions. See any forum script in your choice of programming languages for examples of this. It's still really unclear what you wish to do, but if all it's for is restricting web site access I'd use method three. There's no real restriction since a user can create an account at will, but at least you can tie it to an email account by having them respond with an emailed code or something. It doesn't get by them creating a free throwaway account to get access, but you could restrict whatever free email services you wish from signing up if need be fo slightly more control. Again, any forum or portal script which has a user login does this, feel free to choose whichever you want to study. There are dozens, even hundreds of free ones out there. Jeff [quoted text, click to view] >"Jeff Cochran" wrote:
> >> On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill >> Taylor@discussions.microsoft.com> wrote: >> >> >Currently our user base is small and someone emails us to have acces to >> >restrictied documents in a folder, we create the user name and password >> >(using Windows built-in security) and then mail it back to them. >> > >> >We now want users to be able to create their own names and passwords. >> >> Isn't that about as effective as just giving them access to everything >> to begin with? >> >> >What is the best way to provide password protected folders (available only >> >for authenticated users) and at the same time allowing users to create their >> >own accounts and passwords. >> > >> >I know I can do it all with asp but I wondered if there was a simpler way to >> >do it. >> >> Simpler like what? You could make them all administrators. You could >> give them all a single login. But if you want to give users specific >> access and control it, you can't really give them the ability to do it >> themselves. >> >> If you choose to, you may find an ASP script already written that you >> just need to modify, try aspin.com or Google. And post in an ASP >> group if you're stuck there. >> >> Jeff >>
Thank you for the reply and let me start again to clarify.
Current situation is we have a subset of about 300 users accessing a restricted folder on our web site. A user who wishes to access the site must be a "member". They request access and we have an administrator login to the site, create an account with a password, add them to a group (who has access to the restricted area) and then email the user the login info. Even at this level (300 users) the admin thinks it is too much work. In this scenario it works well - we use windows security (which is more than flexible enough for our needs) and with this level of users it doesn't take much time to manage. Now the compnay will be opening up the restricted area to a larger subset of our users (we estimate about 8,000). To the current admin this will be a nightmare (I don't think so but then I don't have to do it). Chnages would only be a few a day (I would guess). What I am trying to do is retain the Windows security (which is easier for me and ultimately easier for the web designer and content providers since security will not be something they have to touch). What I would like to do is keep the Windows security but at the same time control it through ASP coding. I was under the impression one could at the command prompt create users, passwords, add users to a group as well as delete users. So I am trying to keep what works well but then make it dynamic in some way so the user manages their own info. So I guess my real question is can one dynamically create and manage windows users with ASP code so that I can retain the original Windwos security and not have to code what would be perhaps hundreds or maybe even a thousand documents in a secure way. I know I can do it programatically (with ASP at least) but I'm not sure if it will be as secure and it may be a lot more work. I hope this explains it a bit more. Bill [quoted text, click to view] "Jeff Cochran" wrote:
> On Fri, 4 Feb 2005 11:01:08 -0800, "Bill Taylor" > <BillTaylor@discussions.microsoft.com> wrote: > > >Thanks for the somewhat un-helpful response. > > Sorry you see it that way. > > >To clarify: > > > >I assumed we could let them create a name and password and then put them in > >a group with limited access. I had no intention of giving them access to > >everything. > > > >Simpler like - not having to have an administrator enter the names and > >passwords of 8,000 users but trying to automate the process without our > >direct involvement. > > You said your user base was small... > > >Regarding a single login, gee what would we do change it every day when > >someone leaves??? > > I'm still unclear. If a user can create their own login, what > difference is it if they use a common one? Are you going to manage > 8,000 accounts for deleting them but not creating them? > > Or if you need this in 8,000 individual logins, assign the permissions > to a group and put all users in that group. Unless the 8,000 users > don't have any accounts at all to start with, and you simply want to > allow them to create a new account, but then we're back to having no > real security again. > > >At last you said something useful and helpful - too bad it wasn't all you > >said: > > > >"If you want to give users specific access and control it, you can't really > >give them the ability to do it themselves." > > > >I don't understand why the sarcastic response at the begining - I guess with > >you there are always stupid questions. > > Not always, usually just incorrect assumptions. > > Okay, let's start again. You can do this, if you wish, in several > ways. It's not difficult, and not secure by any means. It also > depends on how many accounts you want to have. > > One method would be to run an ASP (or ASP.NET) app under an > administrative account context, using ADSI to create and populate user > accounts. Another might be to create a text file based on a user's > input of name/password and run a scheduled command line to add the > user and set home directory, add permissions, etc. A third would be > to take this entirely out of the Windows authentication methods and > use your own database of users and access restrictions. See any forum > script in your choice of programming languages for examples of this. > > It's still really unclear what you wish to do, but if all it's for is > restricting web site access I'd use method three. There's no real > restriction since a user can create an account at will, but at least > you can tie it to an email account by having them respond with an > emailed code or something. It doesn't get by them creating a free > throwaway account to get access, but you could restrict whatever free > email services you wish from signing up if need be fo slightly more > control. > > Again, any forum or portal script which has a user login does this, > feel free to choose whichever you want to study. There are dozens, > even hundreds of free ones out there. > > Jeff > > > >"Jeff Cochran" wrote: > > > >> On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill > >> Taylor@discussions.microsoft.com> wrote: > >> > >> >Currently our user base is small and someone emails us to have acces to > >> >restrictied documents in a folder, we create the user name and password > >> >(using Windows built-in security) and then mail it back to them. > >> > > >> >We now want users to be able to create their own names and passwords. > >> > >> Isn't that about as effective as just giving them access to everything > >> to begin with? > >> > >> >What is the best way to provide password protected folders (available only > >> >for authenticated users) and at the same time allowing users to create their > >> >own accounts and passwords. > >> > > >> >I know I can do it all with asp but I wondered if there was a simpler way to > >> >do it. > >> > >> Simpler like what? You could make them all administrators. You could > >> give them all a single login. But if you want to give users specific > >> access and control it, you can't really give them the ability to do it > >> themselves. > >> > >> If you choose to, you may find an ASP script already written that you > >> just need to modify, try aspin.com or Google. And post in an ASP > >> group if you're stuck there. > >> > >> Jeff > >> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |