Re: Anonymous access Vulnerabilities
From: Jayhawktuba (Jayhawktuba_at_discussions.microsoft.com)
Date: 04/04/05
- Previous message: Ken Schaefer: "Re: Anonymous access"
- In reply to: Ken Schaefer: "Re: Anonymous access Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 3 Apr 2005 20:19:02 -0700
Ken,
Yes.. that is very well put. I think that any corporation who values the
privacy and integrity of their data needs to require all users to have a
valid domain account. The chances of anyone infiltrating our network and
subsequently browsing our intranet are small, but NTLM is just good practice
to use. I am typing up some documentation for us to keep on hand regarding
NTLM vs Anonymous access because we need to have a company standard regarding
"what method of authentication we need to utilize," and why we want to use it
or ban it.
Thanks for the very well worded response.. Take care.. Rob
"Ken Schaefer" wrote:
> I think what Jeff's trying to say is that an "anonymous access" site, and a
> "site that requires authentication" are two completely different things.
>
> For example, if you go and visit www.microsoft.com, then you don't need to
> provide a username/password. It's a site that allows anonymous access.
>
> On the other hand, if you have some kind of internal application and you
> need to restrict the users who can use it, then "yes" you should have some
> kind of authentication/authorization system. You could either "roll your
> own" (e.g. authentication where a user types a username/password into a HTML
> form, and you use server-side technology like ASP/ASP.NET to implement the
> security system), or you can use HTTP based authentication (Kerberos, NTLM,
> Basic, Digest etc). You could also use "machine" authentication, by creating
> allowed/denied sets of IP addresses (in the case that you don't need client
> user authentication) whereby the IP addresses of allowed machines can
> connect, but others (e.g. of your firewall, and all machines outside your
> firewall) can not connect.
>
> Basically, allowing "anonymous access" isn't a security risk per se. Only
> sites where anyone can view everything should be setup with "anonymous
> access" allowed. If your site does require authentication or authorization,
> then allowing "anonymous access" is a misconfiguration and is definately a
> security issue. It's a bit like setting up an anonymous public FTP site. If
> the site is really an anonymous public FTP site, then allowing anonymous
> access doesn't present any security issues. However if it isn't really an
> anonymous public FTP site, then allowing anonymous access is a
> misconfiguration, and is a security issue.
>
> Does that help?
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Jayhawktuba" <Jayhawktuba@discussions.microsoft.com> wrote in message
> news:6AC41B6A-948B-4B03-90D8-C849CF1C16E7@microsoft.com...
> :I think that you missed what I was asking. You always need to research the
> : "What if's" in regards to what someone can do once they infiltrate your
> : network. There are many ways that this can happen. The most common method
> is
> : to send an email with an infected attachment in hopes that one person uses
> : poor judgement and opens it. I am wanting to find out ANY vulnerabilities
> in
> : anonymous access, not just what happens if someone hacks in through the
> : firewall.
> :
> : You said...
> : > First, anyone can browse anonymous sites. Period. Without
> : > "pentrating" the firewall. That's what anonymous means
> :
> : Really NOW... SO.. if there is an internal site and it is inside of my
> : firewall and the site is anonymous, then someone from the outside can
> access
> : that site without penetrating the firewall? Sounds like a physical
> : impossibility to me. Anonymous access just merely means that the site is
> wide
> : open "IF" someone can get to it. Since our internal sites are protected by
> a
> : firewall, we are just trying to find out if the server is any more
> vulnerable
> : by making sites accessible via anonymous access than if NT Chall Resp were
> : used. PERIOD.
> :
> : Also, are you saying that we should JUST worry about our firewall and
> : nothing else? That we should just leave it up to the firewall to provide
> us
> : with every bit of our security? WOW.. better tell MS that all of these
> : patches and hotfixes of theirs are just a waste of time because if someone
> : were to penetrate the firewall, we should just worry about our firewall.
> :
> : If you are going to try to assist someone, then politely give them the
> info
> : that they ask for, but please leave the sarcasm and ego at home.
>
>
>
- Previous message: Ken Schaefer: "Re: Anonymous access"
- In reply to: Ken Schaefer: "Re: Anonymous access Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
