Re: Integrated security - why not?
From: Matjaz Ladava (matjaz_at__nospam_ladava.com)
Date: 05/28/03
- Next message: Hazzard: "security exception within Microsoft Application Block ExceptionManager.vb"
- Previous message: Dieter Depuydt: "Re: NTLM Hash in ASP.NET"
- In reply to: TimmyG: "Integrated security - why not?"
- Next in thread: TimmyG: "Re: Integrated security - why not?"
- Reply: TimmyG: "Re: Integrated security - why not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 May 2003 15:17:04 +0200
Hi Timmy,
I understand your pain, but taking your DC out of your network and placing
it at your ISP, connected directly to the internet isn't best idea. If this
DC is part of your domain, then you just can not take one of the DC's out.
Theoretically you could (fixing metadata on your original domain and seizing
FSMO roles on disjoined server), but I would advise against that. What you
could do is, to setup and empty windows server box (not joined to domain)
and create local accounts and then recreate all security. Make this web SSL
and enable basic authentication (NTLM is limited only to IE). Place this
server behind a firewall at your ISP and just publish HTTPS service. Use IIS
Lockdown tool to harden your IIS.
Hope I understood your concerns.
Regards
Matjaz Ladava
"TimmyG" <tim@pracctice.com> wrote in message
news:3eab3b41.0305280256.12d26d3e@posting.google.com...
> Hello all,
>
> Firstly I apologise for the length of this posting but it is an on
> going issue that i could really do with some help on. Obliged.
>
> For some time now i have been using integrated security at all levels
> of a n-tierd asp dotnet application i.e. iss, asp net app and sql
> server. The application itself hooks up to multiple databases
> depending on the identity and membership of the user. As you can
> probably imagine the sql databases are locked down via group
> memebership (i.e. one user can gain access to the relevant databases
> based on group membership but obviously not the others).
>
> IIS will only allow access to valid accounts and the aspnet
> application allows access to all the relevant groups and imppersonates
> the client token.
>
> This system is working very well and without going into too much
> detail allows me to do many things that mapping all users to one
> account at IIS level simply wont allow (proper security on multiple
> databases for one).
>
> My problem however is this: I have been working in an intranet
> enviroment with domain groups and accounts and hence my system works
> fine. I have also tried this method out using machine accounts on a
> testing server with no problems at all. In fact i am happily able to
> mix machine accounts and domain accounts.
>
> However, the situation has now arisen whereby this system needs to run
> in an internet environment. We have a totally dedicated server at an
> isp just waiting for this system. The problem however is that our
> engineers and network gurus tell me that i simply can't do what i want
> to do, apparently ISPs dont support this type of security. But what
> has the ISP got to do with it? We have a dedicated 2k server and can
> guruantee that all clients will be IE5 or above. What is stopping me
> adding the users and groups that i want to the server? It should also
> be noted that this box is a domain controller (issues i know) but i
> cannot understand why we would need a domain with a standalone
> dedicated server. I'm sure it is obvious to you by now that my
> networking / security knowledge is not exactly great but i know what i
> am trying to achieve and have been continuously informed from many
> sources that full integrated security is the way to go for maximum
> protection.
>
> It should be noted that the information stored within this system is
> sensitive to the highest degree and any increases in security are an
> absolute must. It should also be noted that we will have full control
> over this box i.e. the users do not administer their own accounts in
> terms of access at all. It will be done by us via in-house tools.
>
> I simply cannot see why i am being told i cannot do this. In simple
> terms what is stopping me adding users and groups to server?
>
> If we were to go down the forms auth route then i suddenly need an
> application per database to maintain security at db level as all users
> would be mapped onto one account by IIS and would hence gain access to
> all other dbs. This is no good at all and forces me to use multiple
> apps to map users onto different accounts for db access. Also,
> interestingly, if i went down this route i would still have to add
> groups / accounts to the machine for mapping of users from the
> different applications, so what's the difference?
>
> This has been a long running issue that is really beginning to annoy
> me because no one seems able to tell me why i cant do this nor can i
> find any information relating to why this might be.
>
> I have hit web sites before that provide a machine / domain logon so
> why can't my application do it?
>
> Much obliged for your time....
> TimmyG.
- Next message: Hazzard: "security exception within Microsoft Application Block ExceptionManager.vb"
- Previous message: Dieter Depuydt: "Re: NTLM Hash in ASP.NET"
- In reply to: TimmyG: "Integrated security - why not?"
- Next in thread: TimmyG: "Re: Integrated security - why not?"
- Reply: TimmyG: "Re: Integrated security - why not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
