Re: Please help, directory level protection needed.
From: Fred Hebert (fhebert_at_hotmail.com)
Date: 05/09/05
- Next message: Fred Hebert: "Re: Please help, directory level protection needed."
- Previous message: Ari M. Footlik: "Re: WinXP abd IIS Integrated Auth"
- In reply to: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Next in thread: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Reply: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Reply: Jeff Cochran: "Re: Please help, directory level protection needed."
- Reply: Joe Iano: "Re: Please help, directory level protection needed."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 May 2005 12:30:17 -0700
"David Wang [Msft]" <someone@online.microsoft.com> wrote in
news:OUAd40gUFHA.1044@TK2MSFTNGP10.phx.gbl:
> Actually, neither Apache nor IIS natively implement the feature you
> are talking about.
>
> Apache uses addon modules to implement the functionality and the
> configuration is in .htaccess. The author of those modules happen to
> just give away the source code for free, so it frequently comes
> bundled with Apache.
>
The bottom line is that Apache/php easily does what I want for free.
> Many 3rd party vendors have also implemented addon modules for IIS to
> implement the functionality with various configuration choices. Their
> modules need to be purchased.
>
> I have not found a freely available module to do this on IIS. On IIS6,
> we have sample code illustrating other concepts that do about 90% of
> the work, but no one has released a free add on module to lookup
> username/password securely from a database/file. Even after I posted
> sample code modification showing how to lookup username/password from
> a file with exact lines of code to change/insert.
>
The bottom line it's going to cost me.
>
> FYI: the protection mechanism you are asking for is not terribly
> secure. Namely, there is no real user-identity in the underlying OS;
> you rely on the Web Server to implement a check to control access. If
> anyone else happens to compromise the Web Server, they instantly have
> access to the resources you are trying to protect
>
> Meanwhile, using real user identities in the filesystem (something IIS
> natively supports), you rely on someone actually authenticating
> correctly to control access. If anyone else happens to compromise the
> Web Server, they do not have access to this protected content since
> they did not compromise the real user identity -- only the web
> server's identity. On a server like IIS6 where the web server's
> identity is unprivileged, the server remains secured even if a worker
> process gets compromised.
>
> This is the fundamental difference between the two approaches.
>
So you think we should add 40,000+ non-employee user accounts? How much
would that licensing cost us? And of course letting sales people and the
web server manage these accounts is "secure", or do I need to hire an
additional administrator?
>
> Regarding your problem statement:
>> I am trying to implement a secure software update directory.
>> My application checks for and retrieves updates via http from
>> a directory on our web server. All this works fine, but there
>> is no security. I want to protect the directory so that any
>> http request will require basic authentication.
>
> Basic authentication passes username/password over the network in
> clear text, so it is not secure and is counter to your desire to
> "protect" the directory.
We have this new thing called SSL...
>
> Furthermore, I do not understand why you need authentication for a
> "secure software update directory". I presume users will be
> downloading their patches from this "secure software update
> directory". Why do users even need to authenticate? You want them to
> be able to download patches, right? Or is your program unsecured, so
> access to this "secure software update directory" is equivalent to
> free download to your (possibly licensed) software program, so you
> need to control who can access this directory.
>
Actually the app checks for updates and downloads them via ssl. The
customer does not have direct access to the updates.
Most companies, already have a customer database and it is relatively
easy to query that database to determine if a user is valid and grant
access to the files they need. The web server is doing the query through
a very restricted account and the "customer id" has no access to any of
our systems.
The mechanism is very secure. I have implemented it at other locations
with great success and NO security issues. Fortunately none of these
customers used IIS, so it only took about 10 minutes to set up.
Anyhow the short, and correct answer to my question is:
IIS can't do it, I need to BUY a 3rd party tool or roll my own.
Tip: answer the question asked, don't comment on things you are not
familiar with, feel free to offer tips, alternate solutions, point out
potential problems, or ask for clarification but don't assume...
No need to answer the above questions, I am just going to write my own
ISAPI download manager. I was just looking for a quicker and easier way.
The last time I had to deal with IIS was 6 years ago, and I see nothing
has changed...
- Next message: Fred Hebert: "Re: Please help, directory level protection needed."
- Previous message: Ari M. Footlik: "Re: WinXP abd IIS Integrated Auth"
- In reply to: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Next in thread: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Reply: David Wang [Msft]: "Re: Please help, directory level protection needed."
- Reply: Jeff Cochran: "Re: Please help, directory level protection needed."
- Reply: Joe Iano: "Re: Please help, directory level protection needed."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
