Re: NT security accounts database vs. "other"
From: Paul (pwright@diamondchain.com)
Date: 05/07/02
- Next message: Vinod: "session question"
- Previous message: Umer: "Re: Help Please!!"
- Maybe in reply to: Aaron Margosis [MS]: "Re: NT security accounts database vs. "other""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul" <pwright@diamondchain.com> Date: Tue, 7 May 2002 13:04:45 -0500
Thanks! When you said "...there are resource kit tools to automate managing
windows accounts", can you help point me in the direction of one?
I can't seem to find them on our existing Technet disks.
"x y" <jamescagney90210@yahoo.com> wrote in message
news:#RsDW9c8BHA.820@tkmsftngp05...
> The general security recommendation I believe is to keep internet servers
> out of a windows domain unless you feel it is absolutely necessary. Some
> drawbacks as I see it to NT authentication are that it may require you to
> open up potentially dangerous ports or connections at the DMZ, makes it
> easier for an attacker who compromises your server to gain login IDs and
> passwords, makes it easier to get to other servers on your internal
network,
> and unless you're careful, may grant a lot more permissions across the
> domain than just web server access.
>
> Another option is to use local Windows accounts on the web server.
Although
> this may be a little more work on your part compared to just adding the
> server to the domain, there are resource kit tools to automate managing
> windows accounts, and you are I think avoiding problems like SQL injection
> that are becoming frequent ways of attacking web sites that use input
fields
> on an ASP page for authentication. I think if you build your own asp
> authentication method, it can be secure, but your asp programmers need to
be
> knowledgeable in asp security, which some are not. While there are plenty
> of templates and documents out there on how to secure Windows
> authentication, securing your own asp authentication is I think a little
> more nebulous due to the many different ways this can be set up.
>
> "Paul" <pwright@diamondchain.com> wrote in message
> news:euyxWWU8BHA.584@tkmsftngp03...
> > Here is a big-picture question: for securing access to our intranet from
> > outside the firewall, we are configuing certificates and SSL. But should
> we
> > use NT authentication from our domain controller, or run a 3rd party
(ASP
> or
> > similar) authentication process on the web server? (i.e. IISprotect).
> > From an admin perspective, the latter would seem more painful due to
> > managing separate user accounts, even though it would only be about 25
or
> > 30.
> > But are we buying any extra protection by not using NT authentication?
Is
> > that considered more secure from hackers? Less? Any feedback will be
> > appreciated.
> >
> >
>
>
- Next message: Vinod: "session question"
- Previous message: Umer: "Re: Help Please!!"
- Maybe in reply to: Aaron Margosis [MS]: "Re: NT security accounts database vs. "other""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
