|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6 Integrated Security....risks??I have a web server running under IIS 6 on Windows 2003 Standar Edition, domain controller. I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on the same port (80). The first one is plain HTML site, and I have Anonymous access security applied to it. Works fine. The second is an ASP.NET application, and I have Integrated Windows Security applied to it. I have defined a ApplicationPool to this asp.net application to run under an especific domain user account. Works fine too. When a user connects to this application, the web explorer ask for user credentials. My dude is: Is secure enought this configuration to my asp.net application ?? The server is running on Internet and Intranet at the same time. Some users connects locally (from the LAN) and others connects over Internet to the asp.net application sending their credentials. As far as I know the credentials are sent encrypted??, but the pages themselves are not encrypted, to do this i nedd an SSL connection? Thanks a lot. -- ---------------------------------------------------------------------------- --- Roberto López ---------------------------------------------------------------------------- --- Show quote
On Nov 27, 9:06 am, "Roberto López" <rlo***@eurosistemas.net> wrote: You must define what you want to secure before you talk about how to> Hello from Spain, > > I have a web server running under IIS 6 on Windows 2003 Standar Edition, > domain controller. > I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on > the same port (80). > The first one is plain HTML site, and I have Anonymous access security > applied to it. Works fine. > The second is an ASP.NET application, and I have Integrated Windows Security > applied to it. I have defined a ApplicationPool to this asp.net application > to run under an especific domain user account. Works fine too. When a user > connects to this application, the web explorer ask for user credentials. > > My dude is: Is secure enought this configuration to my asp.net application > ?? > The server is running on Internet and Intranet at the same time. Some users > connects locally (from the LAN) and others connects over Internet to the > asp.net application sending their credentials. > As far as I know the credentials are sent encrypted??, but the pages > themselves are not encrypted, to do this i nedd an SSL connection? > > Thanks a lot. > > -- > > ----------------------------------------------------------------------------- > --- > Roberto López > ----------------------------------------------------------------------------- > --- secure things. Some people think that they toss everything under SSL and it is all "secured", but that misses the point. You still don't know what you want to protect, so how do you know it's safe? You only know you did something secure, but is it sufficient? And until you know that, you can't even start thinking about risk because you have no defined object whose security is being traded-off along some unknown metric. Is there data being passed on those web pages which require securing? Is the authentication protocol's assumptions and premises sufficient for your security requirements? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Show quote
"David Wang" <w3.4***@gmail.com> escribió en el mensaje You must define what you want to secure before you talk about how tonews:81a3a2b0-e6d1-4f22-aeb6-b88a81288bfc@i29g2000prf.googlegroups.com... On Nov 27, 9:06 am, "Roberto López" <rlo***@eurosistemas.net> wrote: > Hello from Spain, > > I have a web server running under IIS 6 on Windows 2003 Standar Edition, > domain controller. > I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on > the same port (80). > The first one is plain HTML site, and I have Anonymous access security > applied to it. Works fine. > The second is an ASP.NET application, and I have Integrated Windows Security > applied to it. I have defined a ApplicationPool to this asp.net application > to run under an especific domain user account. Works fine too. When a user > connects to this application, the web explorer ask for user credentials. > > My dude is: Is secure enought this configuration to my asp.net application > ?? > The server is running on Internet and Intranet at the same time. Some users > connects locally (from the LAN) and others connects over Internet to the > asp.net application sending their credentials. > As far as I know the credentials are sent encrypted??, but the pages > themselves are not encrypted, to do this i nedd an SSL connection? > > Thanks a lot. > > -- > > -------------------------------------------------------------------------- --- > --- > Roberto López > -------------------------------------------------------------------------- --- > --- secure things. Some people think that they toss everything under SSL and it is all "secured", but that misses the point. You still don't know what you want to protect, so how do you know it's safe? You only know you did something secure, but is it sufficient? And until you know that, you can't even start thinking about risk because you have no defined object whose security is being traded-off along some unknown metric. Is there data being passed on those web pages which require securing? Is the authentication protocol's assumptions and premises sufficient for your security requirements? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Hello, My first concern is to ensure that the domain server and all data on it is sure. And the user names and passwords are secured. We do not want users to have to write name and password a lot of times. And we do not want that users have many different names and passwords to remember. The data that is being passed on those web pages needs to be protected too. I think I need SSL to this? Thanks. "Roberto López" <rlo***@eurosistemas.net> wrote in message Integrated Windows Authentication does not secure your server, or the data news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > Hello, > My first concern is to ensure that the domain server and all data on it is > sure. on it. > And the user names and passwords are secured. Windows already stores usernames and passwords securely. You need to protect these "in transit", and also to ensure that user's do not disclose them to others > We do not want users to have to write name and password a lot of times. Write it where? You mean enter them?> And So, you need a single authentication store - something like Active > we do not want that users have many different names and passwords to > remember. Directory. IWA doesn't help with this per se, because other authentication mechanisms (like Basic or Digest Auth) can also use AD acconts. > The data that is being passed on those web pages needs to be protected Yes - SSL/TLS is one technology you can use for this. Or IPSec is another.> too. > I think I need SSL to this? Cheers Ken Show quote
"Ken Schaefer" <kenREM***@THISadOpenStatic.com> escribió en el mensaje But, with Integrated Windows Autentication the user name and password, asnews:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... > > "Roberto López" <rlo***@eurosistemas.net> wrote in message > news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > > Hello, > > My first concern is to ensure that the domain server and all data on it is > > sure. > > Integrated Windows Authentication does not secure your server, or the data > on it. > > > And the user names and passwords are secured. > > Windows already stores usernames and passwords securely. You need to protect > these "in transit", and also to ensure that user's do not disclose them to > others far as I know, are sent encrypted? > > We do not want users to have to write name and password a lot of times. Yes, we do not want a lot of forms to enter "user and password" to access> > Write it where? You mean enter them? asp.net application. Show quote > > And Thanks a lot.> > we do not want that users have many different names and passwords to > > remember. > > So, you need a single authentication store - something like Active > Directory. IWA doesn't help with this per se, because other authentication > mechanisms (like Basic or Digest Auth) can also use AD acconts. > > > > The data that is being passed on those web pages needs to be protected > > too. > > I think I need SSL to this? > > Yes - SSL/TLS is one technology you can use for this. Or IPSec is another. > > Cheers > Ken > Hi Roberto,
My first reaction was like David's, that you must have your priorities as to what you want to protect. Your reply included that you want to protect the domain. So, I come at an answer to you from a somewhat different place, as I am a Window infrastructure person, not specifically and IIS guru. Other Active Directory experts, and myself, will (probably always) be seen to advise that one never run IIS on a domain controller, and that you always keep your domain controller entirely inside your private network (i.e. not on the edge). Those are two very significant steps one can take in order to increase the security of one's domain infrastructure, but they appear to be things you have not done. You have also expressed interest in protecting the data that is sent by IIS and in protecting the accounts. Please understand, this is not saying that it is wrong or that it is guaranteed unsafe, just that it brings risks to your entire domain infrastructure that you could avoid and for which you take on the need for added precautions. This certainly can be done. It is sort of like your having bought a big safe for your home and put your valuables inside. But, after a while your wife convinces you that she really, really misses seeing her most prized diamond necklace so you have a window installed on the side of the safe so that she can look at it. The result is that the most valued part of the content of the safe is placed at an unneeded weak spot in the protection. You need to make that window out of very thick glass. To protect the data sent you should have SSL3/TLS required as others have advised. To protect the accounts is however a little tricky. Apparently people are logged in with these accounts when not inside your network? so that these might travel over the internet to your IIS's public interface? One problem with using Windows integrated authentication is that whether it is used also will depend on how the IE browser is configured, and it is too easy for people to let IE send IWA responses to any other webserver, which is generally considered bad and a risk. The client boxes would need to be configured to send IWA responses only to known machines. When done correctly IWA is possibly better than is basic wrapped within SSL3/TLS, but it also does imply that their domain accounts are being used on machines that are not within the internal network, which itself has risks for those accounts and the privacy/integrity of what those accounts can access in the domain infrastructure. Roger Show quote "Roberto López" <rlo***@eurosistemas.net> wrote in message news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> escribió en el mensaje > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... >> >> "Roberto López" <rlo***@eurosistemas.net> wrote in message >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... >> > Hello, >> > My first concern is to ensure that the domain server and all data on it > is >> > sure. >> >> Integrated Windows Authentication does not secure your server, or the >> data >> on it. >> >> > And the user names and passwords are secured. >> >> Windows already stores usernames and passwords securely. You need to > protect >> these "in transit", and also to ensure that user's do not disclose them >> to >> others > > But, with Integrated Windows Autentication the user name and password, as > far as I know, are sent encrypted? > >> > We do not want users to have to write name and password a lot of times. >> >> Write it where? You mean enter them? > > Yes, we do not want a lot of forms to enter "user and password" to access > asp.net application. > >> > And >> > we do not want that users have many different names and passwords to >> > remember. >> >> So, you need a single authentication store - something like Active >> Directory. IWA doesn't help with this per se, because other >> authentication >> mechanisms (like Basic or Digest Auth) can also use AD acconts. >> >> >> > The data that is being passed on those web pages needs to be protected >> > too. >> > I think I need SSL to this? >> >> Yes - SSL/TLS is one technology you can use for this. Or IPSec is >> another. >> >> Cheers >> Ken >> > > Thanks a lot. > > Thanks a lot for all your comments.
Really I know this is not the best configuration to have a web server running (with access from Internet) but the hardware infrastructure does not depend on my. What I would like is to have is a web server "isolated" from the LAN, and obviously not a domain controller. But this is what I have. So it is obvious that I need SSL or maybe, VPN connections to the server to protect data transmision. Thanks. Show quote "Roger Abell [MVP]" <mvpNoSpam@asu.edu> escribió en el mensaje news:uRlQozpMIHA.280@TK2MSFTNGP03.phx.gbl... > Hi Roberto, > > My first reaction was like David's, that you must have your > priorities as to what you want to protect. Your reply included > that you want to protect the domain. > > So, I come at an answer to you from a somewhat different > place, as I am a Window infrastructure person, not specifically > and IIS guru. Other Active Directory experts, and myself, will > (probably always) be seen to advise that one never run IIS on > a domain controller, and that you always keep your domain > controller entirely inside your private network (i.e. not on the > edge). Those are two very significant steps one can take in > order to increase the security of one's domain infrastructure, > but they appear to be things you have not done. > You have also expressed interest in protecting the data that > is sent by IIS and in protecting the accounts. > > Please understand, this is not saying that it is wrong or that > it is guaranteed unsafe, just that it brings risks to your entire > domain infrastructure that you could avoid and for which you > take on the need for added precautions. > This certainly can be done. > It is sort of like your having bought a big safe for your home > and put your valuables inside. But, after a while your wife > convinces you that she really, really misses seeing her most > prized diamond necklace so you have a window installed on > the side of the safe so that she can look at it. The result is > that the most valued part of the content of the safe is placed > at an unneeded weak spot in the protection. You need to make > that window out of very thick glass. > > To protect the data sent you should have SSL3/TLS required > as others have advised. > > To protect the accounts is however a little tricky. Apparently > people are logged in with these accounts when not inside your > network? so that these might travel over the internet to your > IIS's public interface? One problem with using Windows > integrated authentication is that whether it is used also will > depend on how the IE browser is configured, and it is too easy > for people to let IE send IWA responses to any other webserver, > which is generally considered bad and a risk. The client boxes > would need to be configured to send IWA responses only to > known machines. When done correctly IWA is possibly > better than is basic wrapped within SSL3/TLS, but it also does > imply that their domain accounts are being used on machines > that are not within the internal network, which itself has risks > for those accounts and the privacy/integrity of what those accounts > can access in the domain infrastructure. > > Roger > > > "Roberto López" <rlo***@eurosistemas.net> wrote in message > news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl... > > > > > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> escribió en el mensaje > > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl... > >> > >> "Roberto López" <rlo***@eurosistemas.net> wrote in message > >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl... > >> > Hello, > >> > My first concern is to ensure that the domain server and all data on it > > is > >> > sure. > >> > >> Integrated Windows Authentication does not secure your server, or the > >> data > >> on it. > >> > >> > And the user names and passwords are secured. > >> > >> Windows already stores usernames and passwords securely. You need to > > protect > >> these "in transit", and also to ensure that user's do not disclose them > >> to > >> others > > > > But, with Integrated Windows Autentication the user name and password, as > > far as I know, are sent encrypted? > > > >> > We do not want users to have to write name and password a lot of times. > >> > >> Write it where? You mean enter them? > > > > Yes, we do not want a lot of forms to enter "user and password" to access > > asp.net application. > > > >> > And > >> > we do not want that users have many different names and passwords to > >> > remember. > >> > >> So, you need a single authentication store - something like Active > >> Directory. IWA doesn't help with this per se, because other > >> authentication > >> mechanisms (like Basic or Digest Auth) can also use AD acconts. > >> > >> > >> > The data that is being passed on those web pages needs to be protected > >> > too. > >> > I think I need SSL to this? > >> > >> Yes - SSL/TLS is one technology you can use for this. Or IPSec is > >> another. > >> > >> Cheers > >> Ken > >> > > > > Thanks a lot. > > > > > >  |
|||||||||||||||||||||||
Other interesting topics