Security design question

From: John Lee (johnl_at_newsgroup.nospam)
Date: 01/12/05


Date: Tue, 11 Jan 2005 17:29:48 -0800

Hi,

Here is the environment related context:
=========================================================================
Website are hosted in DMZ - subdomain created dmz.companydomain.com
We have our web farm (3-5 web servers) running under one NT Domain account
with least privileges.
Website all 3 level of access: anonymous, registered and verified
We will use form authentication to authenticate registered and verified user
SQL server will be used to host user authentication information and Session
state
All Line of business web services are hosted internally with Windows
authentication only
AzMan is used to perform access check on all public web methods
=========================================================================
My question are:

Is this a good practice? Any obvious flaw?
What is the best way to encrypt session state because it might contain
sensitive data?
If the internal web service trust the NT domain account that hosts the web
site, it means that if someone gain access/control to the site then he could
possibly call any of the web service methods, is this correct? how to
prevent it from happening?
What is the best way to secure public access website that will
retrieve/update internal business data?

Thanks very much!
John



Relevant Pages

  • Re: Problem with web service credentials
    ... I guess you have impersonation turned on in you website and the webservice ... This breaks with NTLM authentication. ... >I have a ASP.NET web page that calls a web service on a server with IIS ...
    (microsoft.public.dotnet.general)
  • Re: Problem with web service credentials
    ... I guess you have impersonation turned on in you website and the webservice is on another computer. ... Implement Kerberos authentication. ... error stating that it is unauthorized to call the web service. ...
    (microsoft.public.dotnet.general)
  • Re: Problem with web service credentials
    ... I've been able to get the web service to work but I really don't understand ... I guess you have impersonation turned on in you website and the ... to the webservice. ... This breaks with NTLM authentication. ...
    (microsoft.public.dotnet.general)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... > By this, I mean, usually, on the basic logon screen of a server, I see ... >>;) under the website in question, enabling only Basic authentication. ... and can use the local administrator account to successfully ...
    (microsoft.public.inetserver.iis.security)
  • Re: Strange IIS Server behavior
    ... Well what i ment was in IIS for this virtual directory, ... In the website internally, we have a login module which is ... Due to Server Configuration with No Authentication) ...
    (microsoft.public.inetserver.iis.security)