Re: Confusion on standard security methodologies.
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 01/14/03
- Next message: Doug Tirevold: "disabling .htr"
- Previous message: Laura: "Need help!!!"
- In reply to: Pete Grazaitis: "Confusion on standard security methodologies."
- Next in thread: Lisa Cozzens [MSFT]: "RE: Confusion on standard security methodologies."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 14 Jan 2003 16:55:39 -0500
"Pete Grazaitis" <pjgratz@yahoo.com> wrote in message
news:20f7835.0301141254.483e1927@posting.google.com...
> -How do remote clients authenticate to the domain? I would like to
> use Integrated Authentication with Kerberos, seems to be the standard
> - but may not be the best. I could do delegation with Basic Auth and
> Active directory. Or X.509 Certs mapped to accounts?
Integrated authentication in IIS is not really standard or advisable over
the internet, as it requires Windows, Internet Explorer and does not work
through proxy servers or firewalls [supposedly]. Other clients are out of
luck. You could have the clients use VPN to connect to the internal network
and access the server from there... however, their home computers would
probably not reliably be able to always authenticate to the domain,
especially if they have a domain controller they already log into.
Another solution, possibly better, would be to use Basic authentication with
HTTPS / certificate on the web server for encryption, and have the web
server authenticate with the domain controller. However, that would require
the domain controller be reachable from your web server, so that if a hacker
cracked your web server, they would potentially have easy access to your
domain account database and possibly more.
Or, you can set up a user table within the SQL database and authenticate the
users to that table, though passwords would not automatically sync with the
domain password without some extra coding on your part.
> -Some of these users do not have NT accounts, and really dont need to
> have it. I would like to keep this server off of my domain. Would I
> still need to create an active directory account for kerberos and then
> institute a domain trust.
Kerberos is based on time being correct between the authentication server
and the client, so I"m not sure it's a good choice for web authentication
from PCs not under your control. I also don't think it's the norm. SSL /
HTTPS encryption to and from the server or VPN is I think more typical for
encrypting the authentication, and client certificates if you feel you need
stronger authentication of clients.
I do believe you need a Windows 2000 domain controller [e.g. active
directory] to do Windows 2000 kerberos, since kerberos is built around a
central KDC server that already has the user's credentials stored
beforehand. You could try implementing a third party kerberos solution, I
suppose, but dont' know if that would be possible or desirable, and you'd
still need a central KDC server.
> -Is it possible to use SQL mixed mode and for those that happen to
> have an NT account authenticate this way for others use a hash based
> authentication scheme?
Well, yes, but AFAIK the Integrated Windows authentication again requires
NetBIOS which is not desirable across the internet or through a firewall,
unless you are using something like VPN. For internet web apps, I think it
is more typical for the web server to use a single shared logon to access
the SQL data via, say, SQL authentication, have the user authenticate with a
unique login ID to the web server, and then use a user table within SQL to
determine what rights the unique user login ID should have.
www.sqlsecurity.com should have some information on this.
http://securityadmin.info/ may have some links to articles on writing web
application code securely.
As far as the network architecture, for a serious web site, you'd want a
typical DMZ, either a tri-homed host or two firewalls with a DMZ in between
them. You'd want the web server in the DMZ and as little permissions as
possible for the web server to talk to the internal network. There is
probably some leeway for placement of the SQL server and domain controller.
- Next message: Doug Tirevold: "disabling .htr"
- Previous message: Laura: "Need help!!!"
- In reply to: Pete Grazaitis: "Confusion on standard security methodologies."
- Next in thread: Lisa Cozzens [MSFT]: "RE: Confusion on standard security methodologies."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
