Re: Secure Intranet from Active Directory

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 05/25/03


Date: Sun, 25 May 2003 08:56:31 -0400


Here's a way: have the default document for each site be a page [such as an
.ASP page containing ADSI script] that everyone has permission to see, uses
NTLM authentication only, retrieves the user ID being used and group
membership if possible, compare the ID and/or group membership to a list of
permitted groups or IDs, and then redirects the user either to the real home
page for the site if permissions are allowed or to another site if not
allowed. Search www.google.com or your favorite sample web scripting
information site for sample code.

One issue is that this redirect would only occur when someone accesses the
root of a site, such as www.domain.com/accounting If for some reason they
used a link such as www.domain.com/accounting/default2.asp or
www.domain.com/accounting/accountingapp/default.asp [like if someone from
accounting with permissions to the site emailed them a link to someone that
doesn't], then the redirect wouldn't happen, unless you used the 401 trick,
and then the redirect would occur only after three failed login attempts.
However, I would think this should be somewhat rare and acceptable.

This question has been asked a number of times before, so you should find
pages on it in google, like here:

http://www.google.com/search?q=get+groups+member+web+page+asp+redirect+user

For example, I found this sample code, not sure if it will work on your
server or not:

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20430354.html

(VBScript function)

Function IsAMember(strGroup)
 Dim strUserID ' The User ID in context
 Dim strPath ' The namespace path (where to get information)
 Dim objUserInfo ' Where the user information is kept
 Dim objGroup ' A collection containing group users
 Dim blnInGroup ' Is this person a member of the group?

  strUserID = ucase(Request.ServerVariables("AUTH_USER"))

  strUserID = Mid(strUserID,(instr(1,strUserID,"\")+1),len(strUserID))

 strPath = "WinNT://YOURDOMAIN/" & strUserID & ",user"

'Get the information.
 Set objUserInfo = GetObject(strPath)

  IsAMember = False

'Redefine the query to get all the members of the Need2Know group
 strPath = "WinNT://YOURDOMAIN/" & strGroup & ",group"

  'Ask NT to give us all the members of the group in question
Set objGroup = GetObject(strPath)

 'Iterate through the group members
for each objUserInfo in objGroup.Members
       ' Determine if the page requestor is a member of the provider group
       if ucase(objUserInfo.Name) = strUserID then
              ' Yes, this requestor is...
              IsAMember = TRUE
              ' Exit this loop when found
            Exit For
       end if
next

End Function

Now when you come to the page you can do:

 MemberGodGroup = IsAMember("GodGroup")
  If (MemberGodGroup ) then
...your logic here <show/hide links..redirect..blah...>
 End If

"GaryRudy2000@yahoo.com" <garyrudy2000@yahoo.com> wrote in message
news:0f8701c3216b$6ad77bf0$a601280a@phx.gbl...
> Is there an alternative to my situation? Should I take a
> different route whether it be doing something different
> with Active Directory or quite possibly getting a database
> involved? Ultimately I want to avoid the NT challenge.
>
> Thanks,
> Gary
>
> >-----Original Message-----
> >Hmm, I'm not sure you can do that.
> >
> >"Gary" <garyrudy2000@yahoo.com> wrote in message
> >news:0f9101c32141$7657eb10$a101280a@phx.gbl...
> >> Tom,
> >>
> >> If I set this up I still get the NT Challenge 3 times
> and
> >> then it goes to the 401 Error page. How can I prevent
> the
> >> NT Challenge so that it automatically goes to the 401
> >> Error Page?
> >>
> >> Thank You.
> >> Gary
> >>
> >> >-----Original Message-----
> >> >"Gary" <garyrudy2000@yahoo.com> wrote in message
> >> >news:064601c32135$b7f25080$a001280a@phx.gbl...
> >> >> Hello,
> >> >>
> >> >> I am developing an Intranet for our company. In this
> >> >> Intranet each department, of our company, will have
> >> their
> >> >> own section. For example, our sales department will
> >> have
> >> >> a section on the Intranet and our IT department will
> >> have
> >> >> a section on the Intranet. I want to allow only IT
> >> >> personel to access the IT section and only Sales
> >> personel
> >> >> to access the sales section of the Intranet. I want
> to
> >> >> set permissions on the department's directory itself
> >> >> through Active Directory. What do I need to do to
> set
> >> up
> >> >> IIS and Active Directory to achieve this security?
> >> Also,
> >> >> I want to prevent the NT challenge. I want it to
> >> function
> >> >> so if a Sales personel goes into the IT section of
> the
> >> >> Intranet they will be redirected instead of getting
> the
> >> NT
> >> >> challenge.
> >> >
> >> >http://www.microsoft.com/windows2000/en/server/iis/
> >> >
> >> >Microsoft Internet Information Server
> >> > Administration
> >> > Server Administration
> >> > Security
> >> > Authentication
> >> > Access Control
> >> >
> >> >HOW TO: Configure IIS 5.0 Web Site Authentication in
> >> Windows 2000
> >> >http://support.microsoft.com/?id=310344
> >> >HOW TO: Configure User and Group Access on an Intranet
> in
> >> Windows 2000 or
> >> >Windows NT 4.0
> >> >http://support.microsoft.com/?id=325358
> >> >
> >> >For the redirect, write a custom 401 error page using
> an
> >> ASP that handles
> >> >the logic.
> >> >
> >> >--
> >> >Tom Kaminski IIS MVP
> >> >http://www.iistoolshed.com/ - tools, scripts, and
> >> utilities for running IIS
> >> >http://mvp.support.microsoft.com/
> >>
> >http://www.microsoft.com/windowsserver2003/community/cente
> >> rs/iis/
> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >



Relevant Pages

  • Re: Secure Intranet from Active Directory
    ... >..ASP page containing ADSI script] that everyone has ... >doesn't], then the redirect wouldn't happen, unless you ... > Dim objUserInfo ' Where the user information is kept ... >'Redefine the query to get all the members of the ...
    (microsoft.public.inetserver.iis.security)
  • [UNIX] Privilege Escalation Vulnerability on phpBB
    ... permissions), so although admin rights are needed to view the page, anyone ... Goto the board you wish to change the permissions for in the normal way ... Find the base directory location of the board for the script, ... This bulletin is sent to members of the SecuriTeam mailing list. ...
    (Securiteam)
  • RE: Send As permissions getting overwritten
    ... The issue should be caused that the users are members of the 'Domain ... Apply the 'Users' template to the existing power users using the Change ... User Permissions Wizard. ... >I've set up the security auditing as you've specified, ...
    (microsoft.public.windows.server.sbs)
  • Re: Securing IIS IUSER
    ... so that these account are not effectively Users members, ... > I then explicitly granted it read permissions to the wwwroot, ... Before granting IUSER permission to read the files/folder, ... > are any of these permitting IUSER access to files and folders with "Users" ...
    (microsoft.public.windows.server.security)
  • Re: Whatever happened to Site Groups in WSS 3.0?
    ... enormous number of groups at the site collection level. ... certain lists that are read only to team members) while the same individual ... Team Members) then break the inheritance of permissions on certain lists and ...
    (microsoft.public.sharepoint.windowsservices)