Re: Anonymous access Vulnerabilities

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/04/05 

Date: Mon, 4 Apr 2005 12:56:40 +1000

I think what Jeff's trying to say is that an "anonymous access" site, and a
"site that requires authentication" are two completely different things.

For example, if you go and visit www.microsoft.com, then you don't need to
provide a username/password. It's a site that allows anonymous access.

On the other hand, if you have some kind of internal application and you
need to restrict the users who can use it, then "yes" you should have some
kind of authentication/authorization system. You could either "roll your
own" (e.g. authentication where a user types a username/password into a HTML
form, and you use server-side technology like ASP/ASP.NET to implement the
security system), or you can use HTTP based authentication (Kerberos, NTLM,
Basic, Digest etc). You could also use "machine" authentication, by creating
allowed/denied sets of IP addresses (in the case that you don't need client
user authentication) whereby the IP addresses of allowed machines can
connect, but others (e.g. of your firewall, and all machines outside your
firewall) can not connect.

Basically, allowing "anonymous access" isn't a security risk per se. Only
sites where anyone can view everything should be setup with "anonymous
access" allowed. If your site does require authentication or authorization,
then allowing "anonymous access" is a misconfiguration and is definately a
security issue. It's a bit like setting up an anonymous public FTP site. If
the site is really an anonymous public FTP site, then allowing anonymous
access doesn't present any security issues. However if it isn't really an
anonymous public FTP site, then allowing anonymous access is a
misconfiguration, and is a security issue.

Does that help?

Cheers
Ken 

-- 
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Jayhawktuba" <Jayhawktuba@discussions.microsoft.com> wrote in message 
news:6AC41B6A-948B-4B03-90D8-C849CF1C16E7@microsoft.com...
:I think that you missed what I was asking. You always need to research the
: "What if's" in regards to what someone can do once they infiltrate your
: network. There are many ways that this can happen. The most common method 
is
: to send an email with an infected attachment in hopes that one person uses
: poor judgement and opens it. I am wanting to find out ANY vulnerabilities 
in
: anonymous access, not just what happens if someone hacks in through the
: firewall.
:
: You said...
: > First, anyone can browse anonymous sites.  Period.  Without
: > "pentrating" the firewall.  That's what anonymous means
:
: Really NOW... SO.. if there is an internal site and it is inside of my
: firewall and the site is anonymous, then someone from the outside can 
access
: that site without penetrating the firewall? Sounds like a physical
: impossibility to me. Anonymous access just merely means that the site is 
wide
: open "IF" someone can get to it. Since our internal sites are protected by 
a
: firewall, we are just trying to find out if the server is any more 
vulnerable
: by making sites accessible via anonymous access than if NT Chall Resp were
: used. PERIOD.
:
: Also, are you saying that we should JUST worry about our firewall and
: nothing else? That we should just leave it up to the firewall to provide 
us
: with every bit of our security? WOW.. better tell MS that all of these
: patches and hotfixes of theirs are just a waste of time because if someone
: were to penetrate the firewall, we should just worry about our firewall.
:
: If you are going to try to assist someone, then politely give them the 
info
: that they ask for, but please leave the sarcasm and ego at home.

Relevant Pages

  • Re: SPS vs. WSS and webpublishing
    ... or outside the firewall with anonymous access, ... site level can be on the inside of the firewall? ... >and another level of security at a sub-site level. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Anonymous access Vulnerabilities
    ... NTLM vs Anonymous access because we need to have a company standard regarding ... "what method of authentication we need to utilize," and why we want to use it ... > security system), or you can use HTTP based authentication (Kerberos, NTLM, ... > firewall) can not connect. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Save IE password thorugh group policy
    ... that web site, this remote cookie will pickup the password so that the users ... You can configure IIS to Anonymous access or Digest ... Configure Authentication in IIS ...
    (microsoft.public.windows.group_policy)
  • Re: User ASPNET in SQL Server 2000
    ... When you hit a web application that has anonymous access, ... While I love integrated security in SQL Server, it is often a pain in web ... maintenance of accounts with access. ... >>> authentication", and has the same users as in Win 2000 ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: My boss....
    ... Click the Edit button under Authentication and access control, ... properties, Web site tab, Advanced button) ... Exchange virtual directory, clear the anonymous access box, clear Integrated ...
    (microsoft.public.windows.server.dns)