RE: Microsoft Active Directory security concerns
- From: "Jason Dinsdale" <jasondinsdale@xxxxxxxxx>
- Date: Thu, 20 Jul 2006 22:58:19 +1000
Nic,
Your problem is an interesting one, and I'm not sure that you can resolve it
with just vanilla MS tools (IIS, AD, ADAM) at your disposal. The SSO
product that I specialise in addresses this by:
A) deploying Policy Enforcement Points (PEPs) at appropriate locations e.g.
IIS (as an ISAPI filter) or Apache (as a loadable module). The PEPs
intercept any resource (web page) access requests and pass on those requests
to the Policy Decision Points (PDPs).
B) Deploying PDP servers that integrate with all necessary directories
(SunOne, AD, ADAM etc) and allow the PDPs to create a consolidated view of
user identities across all directories, against which they evaluate & apply
access & authentication policy.
C) Having the PDPs return policy access & authentication decisions (allow,
deny, authenticate etc) to the PEPs, which then implement that decision.
Another approach might be to use a meta directory product which simply
provides the consolidated view of both AD & ADAM directories and
authenticate against that, however I don't think that this will work with
IIS (Integrated Windows?) authentication since it depends on AD.
Hope this helps somewhat.
Jason
-----Original Message-----
From: NicS [mailto:nic.scheepers@xxxxxxxxxxxxxxxxxx]
Sent: Friday, 7 July 2006 2:44 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Microsoft Active Directory security concerns
Hi Jason,
I am very delighted by your message because I was doing research on this
subject for the past few months. I came to the conclusion that I have to use
AD for the internal users and ADAM for the external users, but now the
implementation seems a bit tricky.
I need IIS to authenticate the users, how will IIS know when to look in AD
and when to look in ADAM? Does this have anything to do with proxy
redirection from ADAM to AD or do you have to synchronise all users to ADAM
and then somehow make IIS look solely at ADAM for authenticating both the
internal and external users?
Does this solution mean development of software where the software first
tries AD and if it is failing then go to ADAM for the authentication?
Does anyone have some direction where I can read more about this? I cannot
find resources dealing directly with this issues.
Regards
Nic
--
View this message in context:
http://www.nabble.com/Microsoft-Active-Directory-security-concerns-tf1781619
.html#a5203344
Sent from the Security Basics forum at Nabble.com.
---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- Prev by Date: RE: ADS Password Storage Protection
- Next by Date: Re: Malware and DoS analysis
- Previous by thread: RE: Microsoft Active Directory security concerns
- Next by thread: Re: Microsoft Active Directory security concerns
- Index(es):
Relevant Pages
|
Loading
