Re: Integrated security - why not?
From: Matjaz Ladava (matjaz_at__nospam_ladava.com)
Date: 05/29/03
- Next message: igor k: "Re: Hosting controls in IE"
- Previous message: TimmyG: "Re: Integrated security - why not?"
- In reply to: TimmyG: "Re: Integrated security - why not?"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Integrated security - why not?"
- Reply: Yan-Hong Huang[MSFT]: "Re: Integrated security - why not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 May 2003 10:33:50 +0200
Well If this is a completely disconnected DC ,then you are ok, but as I said
before: Place this DC/server behind a firewall at your ISP, don't expose it
directly to the internet. Why ? Because you are placing a complete open
server to the public network with services such as SQL Server (remember SQL
worm), AD, all RPC services...... It is just insecure and dangerous. Just
see all hotfixes out there for various service vulnerability. Opening your
server just on port 443 (SSL) trough firewall is 1000 more secure.
If you have just one server, then all accounts can also be local accounts
because there is no need for AD configuration, because you don't need any
special AD functionality.
Regards
Matjaz Ladava
"TimmyG" <tim@pracctice.com> wrote in message
news:3eab3b41.0305290013.20611433@posting.google.com...
> Matjaz,
>
> Apologies for the time to reply but google took ages to show your
> message.
>
> You have almost understood my situation but for one possibly very
> important
> factor. The DC at the ISP is not for our own use. It will in no way
> mimic our
> own network set up. This system has been running on an intranet
> throughout
> development and testing and is now to be placed on the web not for our
> own use
> but for the use of our clients. The ISP box is completely virginal.
>
> Over the next few months the user base will steadily grow but never to
> a
> particulalry large number. We can do as we please with this box and i
> very much wanted to go down the fully integrated security route.
>
> I see no reason why this box is a DC at all. What is wrong with using
> machine
> accounts for this type of set up?
>
> All i really want to know is that if i / we have full control over
> this server
> is what i am proposing 1)possible 2)reasonable and are there any major
> draw
> backs?
>
> I will once again stress that the information is senstive and we
> require as
> much control over all aspects of security as possible.
>
> Much obliged for your help,
> TimmyG.
>
>
>
> "Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
news:<eYJcwtRJDHA.1828@TK2MSFTNGP10.phx.gbl>...
> > Hi Timmy,
> >
> > I understand your pain, but taking your DC out of your network and
placing
> > it at your ISP, connected directly to the internet isn't best idea. If
this
> > DC is part of your domain, then you just can not take one of the DC's
out.
> > Theoretically you could (fixing metadata on your original domain and
seizing
> > FSMO roles on disjoined server), but I would advise against that. What
you
> > could do is, to setup and empty windows server box (not joined to
domain)
> > and create local accounts and then recreate all security. Make this web
SSL
> > and enable basic authentication (NTLM is limited only to IE). Place this
> > server behind a firewall at your ISP and just publish HTTPS service. Use
IIS
> > Lockdown tool to harden your IIS.
> >
> > Hope I understood your concerns.
> >
> > Regards
> >
> > Matjaz Ladava
> >
> > "TimmyG" <tim@pracctice.com> wrote in message
> > news:3eab3b41.0305280256.12d26d3e@posting.google.com...
> > > Hello all,
> > >
> > > Firstly I apologise for the length of this posting but it is an on
> > > going issue that i could really do with some help on. Obliged.
> > >
> > > For some time now i have been using integrated security at all levels
> > > of a n-tierd asp dotnet application i.e. iss, asp net app and sql
> > > server. The application itself hooks up to multiple databases
> > > depending on the identity and membership of the user. As you can
> > > probably imagine the sql databases are locked down via group
> > > memebership (i.e. one user can gain access to the relevant databases
> > > based on group membership but obviously not the others).
> > >
> > > IIS will only allow access to valid accounts and the aspnet
> > > application allows access to all the relevant groups and imppersonates
> > > the client token.
> > >
> > > This system is working very well and without going into too much
> > > detail allows me to do many things that mapping all users to one
> > > account at IIS level simply wont allow (proper security on multiple
> > > databases for one).
> > >
> > > My problem however is this: I have been working in an intranet
> > > enviroment with domain groups and accounts and hence my system works
> > > fine. I have also tried this method out using machine accounts on a
> > > testing server with no problems at all. In fact i am happily able to
> > > mix machine accounts and domain accounts.
> > >
> > > However, the situation has now arisen whereby this system needs to run
> > > in an internet environment. We have a totally dedicated server at an
> > > isp just waiting for this system. The problem however is that our
> > > engineers and network gurus tell me that i simply can't do what i want
> > > to do, apparently ISPs dont support this type of security. But what
> > > has the ISP got to do with it? We have a dedicated 2k server and can
> > > guruantee that all clients will be IE5 or above. What is stopping me
> > > adding the users and groups that i want to the server? It should also
> > > be noted that this box is a domain controller (issues i know) but i
> > > cannot understand why we would need a domain with a standalone
> > > dedicated server. I'm sure it is obvious to you by now that my
> > > networking / security knowledge is not exactly great but i know what i
> > > am trying to achieve and have been continuously informed from many
> > > sources that full integrated security is the way to go for maximum
> > > protection.
> > >
> > > It should be noted that the information stored within this system is
> > > sensitive to the highest degree and any increases in security are an
> > > absolute must. It should also be noted that we will have full control
> > > over this box i.e. the users do not administer their own accounts in
> > > terms of access at all. It will be done by us via in-house tools.
> > >
> > > I simply cannot see why i am being told i cannot do this. In simple
> > > terms what is stopping me adding users and groups to server?
> > >
> > > If we were to go down the forms auth route then i suddenly need an
> > > application per database to maintain security at db level as all users
> > > would be mapped onto one account by IIS and would hence gain access to
> > > all other dbs. This is no good at all and forces me to use multiple
> > > apps to map users onto different accounts for db access. Also,
> > > interestingly, if i went down this route i would still have to add
> > > groups / accounts to the machine for mapping of users from the
> > > different applications, so what's the difference?
> > >
> > > This has been a long running issue that is really beginning to annoy
> > > me because no one seems able to tell me why i cant do this nor can i
> > > find any information relating to why this might be.
> > >
> > > I have hit web sites before that provide a machine / domain logon so
> > > why can't my application do it?
> > >
> > > Much obliged for your time....
> > > TimmyG.
- Next message: igor k: "Re: Hosting controls in IE"
- Previous message: TimmyG: "Re: Integrated security - why not?"
- In reply to: TimmyG: "Re: Integrated security - why not?"
- Next in thread: Yan-Hong Huang[MSFT]: "Re: Integrated security - why not?"
- Reply: Yan-Hong Huang[MSFT]: "Re: Integrated security - why not?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
