Re: Basic directory security question

From: x y (
Date: 05/17/02

From: "x y" <>
Date: Fri, 17 May 2002 17:23:33 -0400

It is not really recommended, unless the person has installed VPN software
to connect to your internal network. The password is not in plain text, but
it is a hash that can be decoded by, say, L0phtcrack and turned into a
password. Also, you should have a firewall in front of your web server that
blocks windows networking e.g. Netbios, as this is a large vulnerability.
However, if you have no firewall, the user is using windows and IE, it could
theoretically work.

"Mike" <> wrote in message
> Thank you... Will the Integrated Windows Authentication allow internet
> to pass a user name and password for an account local to the server (with
> permissions to the directory)? And will it NOT be in clear text? Thanks...
> "x y" <> wrote in message
> news:O867PBa$BHA.1680@tkmsftngp04...
> > will answer this and other questions.
> >
> > You use both. You use NTFS permissions on the directory containing your
> > content to grant read-only access to the necessary users [and if
> is
> > a big issue for you, you may need to also remove IUSR_ and maybe IWAM
> > having rights to that folder]. Also, in the IIS MMC, on the security
> > you disable anonymous authentication and enable basic authentication [if
> the
> > users are going through a firewall or are not using internet explorer or
> are
> > not using windows] or windows integrated authentication [usually if the
> > users are inside a company network]. Note that with basic
> > the passwords are passed on the internet in plain text, which makes them
> > theoretically vulnerable to a hacker running a sniffer program. However
> if
> > this is a small, low security site, this might not be such a big risk.
> >
> > If this bothers you, use an SSL certificate to set up HTTPS: [
> > explains how] or use OpenSSH [free] or VPN if you
> > VPN capabilities. Reliable SSL certificates generally start around $120
> > year from You can find and install test
> > certificates that will work, but the user will get a popup message
> claiming
> > that there is a problem with the web site certificate when they visit
> > site. has test certificates, and
> > has a makecert utility that will let you make your own cert.
> >
> >
> >
> > "Mike" <> wrote in message
> > news:OZoMuiT$BHA.1144@tkmsftngp02...
> > > I have to create a site on a public web server that will allow read
> access
> > > to a group of users based on a user account on the domain the web
> > is
> > > a member of (no anonymous access). How might I set up directory
> security
> > to
> > > accomplish this? Or, would I somehow use NTFS security? Any
> > > appreciated!
> > >
> > >
> >
> >