Few Questions in regards Intranet Security.

From: kavans (ricks_in@yahoo.com)
Date: 02/07/03

From: "kavans" <ricks_in@yahoo.com>
Date: Fri, 7 Feb 2003 01:51:24 -0800

Hi - I am going through MS provided security document and
reading the part "Intranet Security: ASP.NET to SQL

It recommends followin config:

For Authentication:

1. Use Integrated Windows Auth at IIS.
2. Use Windows Auth at ASP.NET (With Impersonation = False)

For Authorization:

1. Use NTFS Permissions at IIS.
2. File Auth (.NET Roles ) at ASP.NET.

Also it says, ASP.NET FileAuthorizationModule provides ACL
checks against the original caller for ASP.NET files types
that are mapped to IIS to the aspnet_isapi.dll.

My Question 1 - What does above statement means? Is this
check made by ASP.NET by itself? If yes, When does it

My Question 2 - Is this check made only for web site files
which are mapped in IIS or for resources accessed by those
files too?

My Question 3 - What NTFS permissions does IIS makes here
and on what files and resources??

There is also a question in document:

Question - Why can't I enable impersonation for the web
application and secure resources accessed by the web
application using ACL's configured against the original

Answer - If you enable impersonation, the impersonated
security context will not have network credentials
(assuming delegation is not enabled and you are using
integrated windows authentication)

My Question 4 - Why the impersonated security context will
not have network credentials ??