Re: Basic directory security question

From: x y (jamescagney90210@excite.com)
Date: 05/17/02


From: "x y" <jamescagney90210@excite.com>
Date: Fri, 17 May 2002 17:23:33 -0400


It is not really recommended, unless the person has installed VPN software
to connect to your internal network. The password is not in plain text, but
it is a hash that can be decoded by, say, L0phtcrack and turned into a
password. Also, you should have a firewall in front of your web server that
blocks windows networking e.g. Netbios, as this is a large vulnerability.
However, if you have no firewall, the user is using windows and IE, it could
theoretically work.

"Mike" <merter.nospam@nospam.attbi.com> wrote in message
news:u4mDqvc$BHA.2540@tkmsftngp05...
> Thank you... Will the Integrated Windows Authentication allow internet
users
> to pass a user name and password for an account local to the server (with
> permissions to the directory)? And will it NOT be in clear text? Thanks...
>
> "x y" <jamescagney90210@excite.com> wrote in message
> news:O867PBa$BHA.1680@tkmsftngp04...
> > www.iisfaq.com will answer this and other questions.
> >
> > You use both. You use NTFS permissions on the directory containing your
> > content to grant read-only access to the necessary users [and if
security
> is
> > a big issue for you, you may need to also remove IUSR_ and maybe IWAM
from
> > having rights to that folder]. Also, in the IIS MMC, on the security
tab,
> > you disable anonymous authentication and enable basic authentication [if
> the
> > users are going through a firewall or are not using internet explorer or
> are
> > not using windows] or windows integrated authentication [usually if the
> > users are inside a company network]. Note that with basic
authentication,
> > the passwords are passed on the internet in plain text, which makes them
> > theoretically vulnerable to a hacker running a sniffer program. However
> if
> > this is a small, low security site, this might not be such a big risk.
> >
> > If this bothers you, use an SSL certificate to set up HTTPS: [
> > www.iisfaq.com/ssl explains how] or use OpenSSH [free] or VPN if you
have
> > VPN capabilities. Reliable SSL certificates generally start around $120
a
> > year from www.sitecertificates.com You can find and install test
> > certificates that will work, but the user will get a popup message
> claiming
> > that there is a problem with the web site certificate when they visit
your
> > site. Verisign.com has test certificates, and
www.microsoft.com/download
> > has a makecert utility that will let you make your own cert.
> >
> >
> >
> > "Mike" <merter.nospam@nospam.attbi.com> wrote in message
> > news:OZoMuiT$BHA.1144@tkmsftngp02...
> > > I have to create a site on a public web server that will allow read
> access
> > > to a group of users based on a user account on the domain the web
server
> > is
> > > a member of (no anonymous access). How might I set up directory
> security
> > to
> > > accomplish this? Or, would I somehow use NTFS security? Any
suggestions
> > > appreciated!
> > >
> > >
> >
> >
>
>