Re: Ideas on deferring authentication?

• Previous message: Beverley: "Re: "the function requested is not supported" on IIS6 with Win2K client"
• In reply to: rgutter_at_bctf.ca: "Ideas on deferring authentication?"
• Next in thread: rgutter_at_bctf.ca: "Re: Ideas on deferring authentication?"
• Reply: rgutter_at_bctf.ca: "Re: Ideas on deferring authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Jun 2005 19:02:04 -0700

Maybe I am mis-understanding how your configuration is set up. If so, please
do feel to elaborate details as appropriate.

I presume only certain users that Basic authenticate against your AD is able
to access the confidential documents.

In that case, why don't you just ACL the confidential documents to just
those users? This prevents anonymous or anyone else within the DMZ (without
sufficient privileges, of course) from reading the confidential documents.

WHERE you store them seems quite irrelevant from a security perspective.
ACLs will be enforced by Windows, whether it's the server in the DMZ or by
the internal host. Especially since you are going to poke a hole in the DMZ
to allow the web server to access this internal host anyways -- the internal
host might as well be in the DMZ as far as access is concerned, and I see no
security improvement between one or two machines in the same DMZ).

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<rgutter@bctf.ca> wrote in message
news:1119387703.351226.62690@z14g2000cwz.googlegroups.com...
We currently have a public IIS6 server in our DMZ. It's been made a
domain member to allow Basic Authentication against our AD for  a
number of confidential documents - all within a single web - on the
server. (We don't want to maintain a separate user database.)
I can make this marginally more secure by moving the confidential
documents to an internal host and using UNC Passthrough authentication,
but I'd rather find a way to turn the public web server into a
standalone server. Is it sensible to think of moving the confidential
documents to an internal web server and performing authentication
there? I'm now allowing http into my protected network of course...

• Previous message: Beverley: "Re: "the function requested is not supported" on IIS6 with Win2K client"
• In reply to: rgutter_at_bctf.ca: "Ideas on deferring authentication?"
• Next in thread: rgutter_at_bctf.ca: "Re: Ideas on deferring authentication?"
• Reply: rgutter_at_bctf.ca: "Re: Ideas on deferring authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: fedora-list Digest, Vol 6, Issue 266 ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ... (Fedora) RE: Webserver on a DMZ still needed? ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ... (Security-Basics) Re: Man gets nine years for spamming ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ... (alt.computer.security) RE: [fw-wiz] Backup exec agent in dmz ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ... (Firewall-Wizards) RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ... (Firewall-Wizards)