|
|
You're in the
iis security
group:IIS 6 Integrated Security....risks??
iis security:
[quoted text, click to view]
On Nov 27, 9:06 am, "Roberto L=F3pez" <rlo...@eurosistemas.net> wrote: > Hello from Spain, > > I have a web server running under IIS 6 on Windows 2003 Standar Edition, > domain controller. > I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on > the same port (80). > The first one is plain HTML site, and I have Anonymous access security > applied to it. Works fine. > The second is an ASP.NET application, and I have Integrated Windows Securi= ty > applied to it. I have defined a ApplicationPool to this asp.net applicatio= n > to run under an especific domain user account. Works fine too. When a user= > connects to this application, the web explorer ask for user credentials. > > My dude is: Is secure enought this configuration to my asp.net application= > ?? > The server is running on Internet and Intranet at the same time. Some user= s > connects locally (from the LAN) and others connects over Internet to the > asp.net application sending their credentials. > As far as I know the credentials are sent encrypted??, but the pages > themselves are not encrypted, to do this i nedd an SSL connection? > > Thanks a lot. > > -- > > --------------------------------------------------------------------------= --- > --- > Roberto L=F3pez > --------------------------------------------------------------------------= --- > --- You must define what you want to secure before you talk about how to secure things. Some people think that they toss everything under SSL and it is all "secured", but that misses the point. You still don't know what you want to protect, so how do you know it's safe? You only know you did something secure, but is it sufficient? And until you know that, you can't even start thinking about risk because you have no defined object whose security is being traded-off along some unknown metric. Is there data being passed on those web pages which require securing? Is the authentication protocol's assumptions and premises sufficient for your security requirements? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
Hello from Spain,
I have a web server running under IIS 6 on Windows 2003 Standar Edition, domain controller. I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on the same port (80). The first one is plain HTML site, and I have Anonymous access security applied to it. Works fine. The second is an ASP.NET application, and I have Integrated Windows Security applied to it. I have defined a ApplicationPool to this asp.net application to run under an especific domain user account. Works fine too. When a user connects to this application, the web explorer ask for user credentials. My dude is: Is secure enought this configuration to my asp.net application ?? The server is running on Internet and Intranet at the same time. Some users connects locally (from the LAN) and others connects over Internet to the asp.net application sending their credentials. As far as I know the credentials are sent encrypted??, but the pages themselves are not encrypted, to do this i nedd an SSL connection? Thanks a lot. -- ---------------------------------------------------------------------------- --- Roberto López ---------------------------------------------------------------------------- ---
"David Wang" <w3.4you@gmail.com> escribió en el mensaje news:81a3a2b0-e6d1-4f22-aeb6-b88a81288bfc@i29g2000prf.googlegroups.com... [quoted text, click to view] On Nov 27, 9:06 am, "Roberto López" <rlo...@eurosistemas.net> wrote: > Hello from Spain, > > I have a web server running under IIS 6 on Windows 2003 Standar Edition, > domain controller. > I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on > the same port (80). > The first one is plain HTML site, and I have Anonymous access security > applied to it. Works fine. > The second is an ASP.NET application, and I have Integrated Windows Security > applied to it. I have defined a ApplicationPool to this asp.net application > to run under an especific domain user account. Works fine too. When a user > connects to this application, the web explorer ask for user credentials. > > My dude is: Is secure enought this configuration to my asp.net application > ?? > The server is running on Internet and Intranet at the same time. Some users > connects locally (from the LAN) and others connects over Internet to the > asp.net application sending their credentials. > As far as I know the credentials are sent encrypted??, but the pages > themselves are not encrypted, to do this i nedd an SSL connection? > > Thanks a lot. > > -- > > -------------------------------------------------------------------------- --- > --- > Roberto López > -------------------------------------------------------------------------- --- > --- You must define what you want to secure before you talk about how to secure things. Some people think that they toss everything under SSL and it is all "secured", but that misses the point. You still don't know what you want to protect, so how do you know it's safe? You only know you did something secure, but is it sufficient? And until you know that, you can't even start thinking about risk because you have no defined object whose security is being traded-off along some unknown metric. Is there data being passed on those web pages which require securing? Is the authentication protocol's assumptions and premises sufficient for your security requirements? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Hello, My first concern is to ensure that the domain server and all data on it is sure. And the user names and passwords are secured. We do not want users to have to write name and password a lot of times. And we do not want that users have many different names and passwords to remember. The data that is being passed on those web pages needs to be protected too. I think I need SSL to this? Thanks.
Hi Roberto,
My first reaction was like David's, that you must have your priorities as to what you want to protect. Your reply included that you want to protect the domain. So, I come at an answer to you from a somewhat different place, as I am a Window infrastructure person, not specifically and IIS guru. Other Active Directory experts, and myself, will (probably always) be seen to advise that one never run IIS on a domain controller, and that you always keep your domain controller entirely inside your private network (i.e. not on the edge). Those are two very significant steps one can take in order to increase the security of one's domain infrastructure, but they appear to be things you have not done. You have also expressed interest in protecting the data that is sent by IIS and in protecting the accounts. Please understand, this is not saying that it is wrong or that it is guaranteed unsafe, just that it brings risks to your entire domain infrastructure that you could avoid and for which you take on the need for added precautions. This certainly can be done. It is sort of like your having bought a big safe for your home and put your valuables inside. But, after a while your wife convinces you that she really, really misses seeing her most prized diamond necklace so you have a window installed on the side of the safe so that she can look at it. The result is that the most valued part of the content of the safe is placed at an unneeded weak spot in the protection. You need to make that window out of very thick glass. To protect the data sent you should have SSL3/TLS required as others have advised. To protect the accounts is however a little tricky. Apparently people are logged in with these accounts when not inside your network? so that these might travel over the internet to your IIS's public interface? One problem with using Windows integrated authentication is that whether it is used also will depend on how the IE browser is configured, and it is too easy for people to let IE send IWA responses to any other webserver, which is generally considered bad and a risk. The client boxes would need to be configured to send IWA responses only to known machines. When done correctly IWA is possibly better than is basic wrapped within SSL3/TLS, but it also does imply that their domain accounts are being used on machines that are not within the internal network, which itself has risks for those accounts and the privacy/integrity of what those accounts can access in the domain infrastructure. Roger [quoted text, click to view] "Roberto López" <rlopez@eurosistemas.net> wrote in message news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... >> >> "Roberto López" <rlopez@eurosistemas.net> wrote in message >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... >> > Hello, >> > My first concern is to ensure that the domain server and all data on it > is >> > sure. >> >> Integrated Windows Authentication does not secure your server, or the >> data >> on it. >> >> > And the user names and passwords are secured. >> >> Windows already stores usernames and passwords securely. You need to > protect >> these "in transit", and also to ensure that user's do not disclose them >> to >> others > > But, with Integrated Windows Autentication the user name and password, as > far as I know, are sent encrypted? > >> > We do not want users to have to write name and password a lot of times. >> >> Write it where? You mean enter them? > > Yes, we do not want a lot of forms to enter "user and password" to access > asp.net application. > >> > And >> > we do not want that users have many different names and passwords to >> > remember. >> >> So, you need a single authentication store - something like Active >> Directory. IWA doesn't help with this per se, because other >> authentication >> mechanisms (like Basic or Digest Auth) can also use AD acconts. >> >> >> > The data that is being passed on those web pages needs to be protected >> > too. >> > I think I need SSL to this? >> >> Yes - SSL/TLS is one technology you can use for this. Or IPSec is >> another. >> >> Cheers >> Ken >> > > Thanks a lot. > >
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... [quoted text, click to view] > > "Roberto López" <rlopez@eurosistemas.net> wrote in message > news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > > Hello, > > My first concern is to ensure that the domain server and all data on it is > > sure. > > Integrated Windows Authentication does not secure your server, or the data > on it. > > > And the user names and passwords are secured. > > Windows already stores usernames and passwords securely. You need to protect > these "in transit", and also to ensure that user's do not disclose them to > others But, with Integrated Windows Autentication the user name and password, as far as I know, are sent encrypted? [quoted text, click to view] > > We do not want users to have to write name and password a lot of times. > > Write it where? You mean enter them? Yes, we do not want a lot of forms to enter "user and password" to access asp.net application. [quoted text, click to view] > > And > > we do not want that users have many different names and passwords to > > remember. > > So, you need a single authentication store - something like Active > Directory. IWA doesn't help with this per se, because other authentication > mechanisms (like Basic or Digest Auth) can also use AD acconts. > > > > The data that is being passed on those web pages needs to be protected > > too. > > I think I need SSL to this? > > Yes - SSL/TLS is one technology you can use for this. Or IPSec is another. > > Cheers > Ken > Thanks a lot.
[quoted text, click to view] "Roberto López" <rlopez@eurosistemas.net> wrote in message news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > Hello, > My first concern is to ensure that the domain server and all data on it is > sure. Integrated Windows Authentication does not secure your server, or the data on it. [quoted text, click to view] > And the user names and passwords are secured. Windows already stores usernames and passwords securely. You need to protect these "in transit", and also to ensure that user's do not disclose them to others [quoted text, click to view] > We do not want users to have to write name and password a lot of times. Write it where? You mean enter them? [quoted text, click to view] > And > we do not want that users have many different names and passwords to > remember. So, you need a single authentication store - something like Active Directory. IWA doesn't help with this per se, because other authentication mechanisms (like Basic or Digest Auth) can also use AD acconts. [quoted text, click to view] > The data that is being passed on those web pages needs to be protected > too. > I think I need SSL to this? Yes - SSL/TLS is one technology you can use for this. Or IPSec is another. Cheers Ken
Thanks a lot for all your comments.
Really I know this is not the best configuration to have a web server running (with access from Internet) but the hardware infrastructure does not depend on my. What I would like is to have is a web server "isolated" from the LAN, and obviously not a domain controller. But this is what I have. So it is obvious that I need SSL or maybe, VPN connections to the server to protect data transmision. Thanks. "Roger Abell [MVP]" <mvpNoSpam@asu.edu> escribió en el mensaje news:uRlQozpMIHA.280@TK2MSFTNGP03.phx.gbl... [quoted text, click to view] > Hi Roberto, > > My first reaction was like David's, that you must have your > priorities as to what you want to protect. Your reply included > that you want to protect the domain. > > So, I come at an answer to you from a somewhat different > place, as I am a Window infrastructure person, not specifically > and IIS guru. Other Active Directory experts, and myself, will > (probably always) be seen to advise that one never run IIS on > a domain controller, and that you always keep your domain > controller entirely inside your private network (i.e. not on the > edge). Those are two very significant steps one can take in > order to increase the security of one's domain infrastructure, > but they appear to be things you have not done. > You have also expressed interest in protecting the data that > is sent by IIS and in protecting the accounts. > > Please understand, this is not saying that it is wrong or that > it is guaranteed unsafe, just that it brings risks to your entire > domain infrastructure that you could avoid and for which you > take on the need for added precautions. > This certainly can be done. > It is sort of like your having bought a big safe for your home > and put your valuables inside. But, after a while your wife > convinces you that she really, really misses seeing her most > prized diamond necklace so you have a window installed on > the side of the safe so that she can look at it. The result is > that the most valued part of the content of the safe is placed > at an unneeded weak spot in the protection. You need to make > that window out of very thick glass. > > To protect the data sent you should have SSL3/TLS required > as others have advised. > > To protect the accounts is however a little tricky. Apparently > people are logged in with these accounts when not inside your > network? so that these might travel over the internet to your > IIS's public interface? One problem with using Windows > integrated authentication is that whether it is used also will > depend on how the IE browser is configured, and it is too easy > for people to let IE send IWA responses to any other webserver, > which is generally considered bad and a risk. The client boxes > would need to be configured to send IWA responses only to > known machines. When done correctly IWA is possibly > better than is basic wrapped within SSL3/TLS, but it also does > imply that their domain accounts are being used on machines > that are not within the internal network, which itself has risks > for those accounts and the privacy/integrity of what those accounts > can access in the domain infrastructure. > > Roger > > > "Roberto López" <rlopez@eurosistemas.net> wrote in message > news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > > > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje > > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... > >> > >> "Roberto López" <rlopez@eurosistemas.net> wrote in message > >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > >> > Hello, > >> > My first concern is to ensure that the domain server and all data on it > > is > >> > sure. > >> > >> Integrated Windows Authentication does not secure your server, or the > >> data > >> on it. > >> > >> > And the user names and passwords are secured. > >> > >> Windows already stores usernames and passwords securely. You need to > > protect > >> these "in transit", and also to ensure that user's do not disclose them > >> to > >> others > > > > But, with Integrated Windows Autentication the user name and password, as > > far as I know, are sent encrypted? > > > >> > We do not want users to have to write name and password a lot of times. > >> > >> Write it where? You mean enter them? > > > > Yes, we do not want a lot of forms to enter "user and password" to access > > asp.net application. > > > >> > And > >> > we do not want that users have many different names and passwords to > >> > remember. > >> > >> So, you need a single authentication store - something like Active > >> Directory. IWA doesn't help with this per se, because other > >> authentication > >> mechanisms (like Basic or Digest Auth) can also use AD acconts. > >> > >> > >> > The data that is being passed on those web pages needs to be protected > >> > too. > >> > I think I need SSL to this? > >> > >> Yes - SSL/TLS is one technology you can use for this. Or IPSec is > >> another. > >> > >> Cheers > >> Ken > >> > > > > Thanks a lot. > > > > > >
[quoted text, click to view] "Roberto López" <rlopez@eurosistemas.net> wrote in message news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... >> >> "Roberto López" <rlopez@eurosistemas.net> wrote in message >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... >> > Hello, >> > My first concern is to ensure that the domain server and all data on it > is >> > sure. >> >> Integrated Windows Authentication does not secure your server, or the >> data >> on it. >> >> > And the user names and passwords are secured. >> >> Windows already stores usernames and passwords securely. You need to > protect >> these "in transit", and also to ensure that user's do not disclose them >> to >> others > > But, with Integrated Windows Autentication the user name and password, as > far as I know, are sent encrypted? Hi, With NTLM authentication, the password is hashed using the NTLM v2 mechanism. With Kerberos Authentication, the client sends an authenticator and service ticket. The username is not encypted, but the password is never transmitted to the server in question (as the trusted third party - the KDC/Domain Controller - knows all the passwords). Cheers Ken
Thanks a lot for your comments.
I have learned a lot with this post. "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje news:O%23ySUfvMIHA.484@TK2MSFTNGP06.phx.gbl... [quoted text, click to view] > > "Roberto López" <rlopez@eurosistemas.net> wrote in message > news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > > > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> escribió en el mensaje > > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... > >> > >> "Roberto López" <rlopez@eurosistemas.net> wrote in message > >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > >> > Hello, > >> > My first concern is to ensure that the domain server and all data on it > > is > >> > sure. > >> > >> Integrated Windows Authentication does not secure your server, or the > >> data > >> on it. > >> > >> > And the user names and passwords are secured. > >> > >> Windows already stores usernames and passwords securely. You need to > > protect > >> these "in transit", and also to ensure that user's do not disclose them > >> to > >> others > > > > But, with Integrated Windows Autentication the user name and password, as > > far as I know, are sent encrypted? > > Hi, > > With NTLM authentication, the password is hashed using the NTLM v2 > mechanism. > > With Kerberos Authentication, the client sends an authenticator and service > ticket. The username is not encypted, but the password is never transmitted > to the server in question (as the trusted third party - the KDC/Domain > Controller - knows all the passwords). > > Cheers > Ken >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |