Re: Integrated security - why not?
From: Yan-Hong Huang[MSFT] (yhhuang_at_online.microsoft.com)
Date: Fri, 30 May 2003 02:49:26 GMT
Matjaz is right. Please place DC/Server behing a firewall. Please refer to
"Microsoft Solution for Supplier Enablement Deployment Guide" topic in MSDN.
Let me explain why we seldom use Integrated Security for Internet asp.net
applications. For internet applications, assumely there will be a lot of
clients. Under this situation, how could we setup accounts for them? So
generally speaking, we use forms authentication and stored the user
identity in database and map them to some domain accounts such as Normal
User, Doc Maintainer, and etc.
For ASP.NET application security, please refer to Microsoft patterns and
practices "Building Secure ASP.NET Applications: Authentication,
Authorization, and Secure Communication" at
VS.NET, Visual C++
This posting is provided "AS IS" with no warranties, and confers no rights.
Got .Net? http://www.gotdotnet.com
!From: "Matjaz Ladava" <matjaz@_nospam_ladava.com>
!Subject: Re: Integrated security - why not?
!Date: Thu, 29 May 2003 10:33:50 +0200
!X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
!NNTP-Posting-Host: perun.spin.si 18.104.22.168
!Well If this is a completely disconnected DC ,then you are ok, but as I
!before: Place this DC/server behind a firewall at your ISP, don't expose it
!directly to the internet. Why ? Because you are placing a complete open
!server to the public network with services such as SQL Server (remember SQL
!worm), AD, all RPC services...... It is just insecure and dangerous. Just
!see all hotfixes out there for various service vulnerability. Opening your
!server just on port 443 (SSL) trough firewall is 1000 more secure.
!If you have just one server, then all accounts can also be local accounts
!because there is no need for AD configuration, because you don't need any
!special AD functionality.
!"TimmyG" <firstname.lastname@example.org> wrote in message
!> Apologies for the time to reply but google took ages to show your
!> You have almost understood my situation but for one possibly very
!> factor. The DC at the ISP is not for our own use. It will in no way
!> mimic our
!> own network set up. This system has been running on an intranet
!> development and testing and is now to be placed on the web not for our
!> own use
!> but for the use of our clients. The ISP box is completely virginal.
!> Over the next few months the user base will steadily grow but never to
!> particulalry large number. We can do as we please with this box and i
!> very much wanted to go down the fully integrated security route.
!> I see no reason why this box is a DC at all. What is wrong with using
!> accounts for this type of set up?
!> All i really want to know is that if i / we have full control over
!> this server
!> is what i am proposing 1)possible 2)reasonable and are there any major
!> I will once again stress that the information is senstive and we
!> require as
!> much control over all aspects of security as possible.
!> Much obliged for your help,
!> "Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
!> > Hi Timmy,
!> > I understand your pain, but taking your DC out of your network and
!> > it at your ISP, connected directly to the internet isn't best idea. If
!> > DC is part of your domain, then you just can not take one of the DC's
!> > Theoretically you could (fixing metadata on your original domain and
!> > FSMO roles on disjoined server), but I would advise against that. What
!> > could do is, to setup and empty windows server box (not joined to
!> > and create local accounts and then recreate all security. Make this web
!> > and enable basic authentication (NTLM is limited only to IE). Place
!> > server behind a firewall at your ISP and just publish HTTPS service.
!> > Lockdown tool to harden your IIS.
!> > Hope I understood your concerns.
!> > Regards
!> > Matjaz Ladava
!> > "TimmyG" <email@example.com> wrote in message
!> > news:firstname.lastname@example.org...
!> > > Hello all,
!> > >
!> > > Firstly I apologise for the length of this posting but it is an on
!> > > going issue that i could really do with some help on. Obliged.
!> > >
!> > > For some time now i have been using integrated security at all levels
!> > > of a n-tierd asp dotnet application i.e. iss, asp net app and sql
!> > > server. The application itself hooks up to multiple databases
!> > > depending on the identity and membership of the user. As you can
!> > > probably imagine the sql databases are locked down via group
!> > > memebership (i.e. one user can gain access to the relevant databases
!> > > based on group membership but obviously not the others).
!> > >
!> > > IIS will only allow access to valid accounts and the aspnet
!> > > application allows access to all the relevant groups and
!> > > the client token.
!> > >
!> > > This system is working very well and without going into too much
!> > > detail allows me to do many things that mapping all users to one
!> > > account at IIS level simply wont allow (proper security on multiple
!> > > databases for one).
!> > >
!> > > My problem however is this: I have been working in an intranet
!> > > enviroment with domain groups and accounts and hence my system works
!> > > fine. I have also tried this method out using machine accounts on a
!> > > testing server with no problems at all. In fact i am happily able to
!> > > mix machine accounts and domain accounts.
!> > >
!> > > However, the situation has now arisen whereby this system needs to
!> > > in an internet environment. We have a totally dedicated server at an
!> > > isp just waiting for this system. The problem however is that our
!> > > engineers and network gurus tell me that i simply can't do what i
!> > > to do, apparently ISPs dont support this type of security. But what
!> > > has the ISP got to do with it? We have a dedicated 2k server and can
!> > > guruantee that all clients will be IE5 or above. What is stopping me
!> > > adding the users and groups that i want to the server? It should also
!> > > be noted that this box is a domain controller (issues i know) but i
!> > > cannot understand why we would need a domain with a standalone
!> > > dedicated server. I'm sure it is obvious to you by now that my
!> > > networking / security knowledge is not exactly great but i know what
!> > > am trying to achieve and have been continuously informed from many
!> > > sources that full integrated security is the way to go for maximum
!> > > protection.
!> > >
!> > > It should be noted that the information stored within this system is
!> > > sensitive to the highest degree and any increases in security are an
!> > > absolute must. It should also be noted that we will have full control
!> > > over this box i.e. the users do not administer their own accounts in
!> > > terms of access at all. It will be done by us via in-house tools.
!> > >
!> > > I simply cannot see why i am being told i cannot do this. In simple
!> > > terms what is stopping me adding users and groups to server?
!> > >
!> > > If we were to go down the forms auth route then i suddenly need an
!> > > application per database to maintain security at db level as all
!> > > would be mapped onto one account by IIS and would hence gain access
!> > > all other dbs. This is no good at all and forces me to use multiple
!> > > apps to map users onto different accounts for db access. Also,
!> > > interestingly, if i went down this route i would still have to add
!> > > groups / accounts to the machine for mapping of users from the
!> > > different applications, so what's the difference?
!> > >
!> > > This has been a long running issue that is really beginning to annoy
!> > > me because no one seems able to tell me why i cant do this nor can i
!> > > find any information relating to why this might be.
!> > >
!> > > I have hit web sites before that provide a machine / domain logon so
!> > > why can't my application do it?
!> > >
!> > > Much obliged for your time....
!> > > TimmyG.