Re: Basic directory security question

From: Mike (merter.nospam@nospam.attbi.com)
Date: 05/17/02


From: "Mike" <merter.nospam@nospam.attbi.com>
Date: Fri, 17 May 2002 10:58:04 -0700


Thank you... Will the Integrated Windows Authentication allow internet users
to pass a user name and password for an account local to the server (with
permissions to the directory)? And will it NOT be in clear text? Thanks...

"x y" <jamescagney90210@excite.com> wrote in message
news:O867PBa$BHA.1680@tkmsftngp04...
> www.iisfaq.com will answer this and other questions.
>
> You use both. You use NTFS permissions on the directory containing your
> content to grant read-only access to the necessary users [and if security
is
> a big issue for you, you may need to also remove IUSR_ and maybe IWAM from
> having rights to that folder]. Also, in the IIS MMC, on the security tab,
> you disable anonymous authentication and enable basic authentication [if
the
> users are going through a firewall or are not using internet explorer or
are
> not using windows] or windows integrated authentication [usually if the
> users are inside a company network]. Note that with basic authentication,
> the passwords are passed on the internet in plain text, which makes them
> theoretically vulnerable to a hacker running a sniffer program. However
if
> this is a small, low security site, this might not be such a big risk.
>
> If this bothers you, use an SSL certificate to set up HTTPS: [
> www.iisfaq.com/ssl explains how] or use OpenSSH [free] or VPN if you have
> VPN capabilities. Reliable SSL certificates generally start around $120 a
> year from www.sitecertificates.com You can find and install test
> certificates that will work, but the user will get a popup message
claiming
> that there is a problem with the web site certificate when they visit your
> site. Verisign.com has test certificates, and www.microsoft.com/download
> has a makecert utility that will let you make your own cert.
>
>
>
> "Mike" <merter.nospam@nospam.attbi.com> wrote in message
> news:OZoMuiT$BHA.1144@tkmsftngp02...
> > I have to create a site on a public web server that will allow read
access
> > to a group of users based on a user account on the domain the web server
> is
> > a member of (no anonymous access). How might I set up directory
security
> to
> > accomplish this? Or, would I somehow use NTFS security? Any suggestions
> > appreciated!
> >
> >
>
>



Relevant Pages

  • Re: Access Denied to share with anonymous access disabled
    ... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > ASPNet local user account full access to the share. ... > anonymous access with integrated windows security on the web site. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
    ... >> Further to Greg's comments about this Encode Security Labs ... >> NTLM for authentication, ... > NTLM is a unilateral authentication protocol where the server ...
    (NT-Bugtraq)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • client certificates for authentication but not encryption
    ... resolved the crash, but at the cost of using a secure ... client certificates for authentication but not encryption ... > server using the WebDAV protocol. ...
    (microsoft.public.inetserver.iis.security)
  • unified authentication
    ... and a single Windows 2000 Server. ... I have recently been plagued by the security audit ... as employees have left the company and new ... and very fast authentication system with vpopmail + MySQL. ...
    (FreeBSD-Security)