Re: IIS 6 Integrated Security....risks??

On Nov 27, 9:06 am, "Roberto López" <rlo...@xxxxxxxxxxxxxxxx> wrote:
Hello from Spain,

I have a web server running under IIS 6 on Windows 2003 Standar Edition,
domain controller.
I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on
the same port (80).
The first one is plain HTML site, and I have Anonymous access security
applied to it. Works fine.
The second is an ASP.NET application, and I have Integrated Windows Security
applied to it. I have defined a ApplicationPool to this asp.net application
to run under an especific domain user account. Works fine too. When a user
connects to this application, the web explorer ask for user credentials.

My dude is: Is secure enought this configuration to my asp.net application
??
The server is running on Internet and Intranet at the same time. Some users
connects locally (from the LAN) and others connects over Internet to the
asp.net application sending their credentials.
As far as I know the credentials are sent encrypted??, but the pages
themselves are not encrypted, to do this i nedd an SSL connection?

Thanks a lot.

--

-----------------------------------------------------------------------------
---
Roberto López
-----------------------------------------------------------------------------
---


You must define what you want to secure before you talk about how to
secure things. Some people think that they toss everything under SSL
and it is all "secured", but that misses the point. You still don't
know what you want to protect, so how do you know it's safe? You only
know you did something secure, but is it sufficient? And until you
know that, you can't even start thinking about risk because you have
no defined object whose security is being traded-off along some
unknown metric.

Is there data being passed on those web pages which require securing?
Is the authentication protocol's assumptions and premises sufficient
for your security requirements?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • Re: The Myth of the secure Mac
    ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
    (comp.sys.mac.advocacy)
  • Re: The Myth of the secure Mac
    ... >>> secure than Home. ... Though this really has nothing to do with security. ... >>> I, on the other hand, was speaking about overall Windows security, not ... I do believe that Microsoft could adjust their prices for the ...
    (comp.sys.mac.advocacy)
  • Re: SBS 2003 and TS-App Mode
    ... It's not secure... ... functionality over security and now you want functionality back. ... open and easy to use...they want TS on a domain controller back. ... Do not enable application server mode on a domain controllers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows Is Now More Secure Than Linux
    ... >OpenSSL is compiled into just about every 'secure' application in the Unix ... You know, a lot of people see me as a "Windows defender", mainly because I pop ... The solution, if there is one, to security problems, is to choose a supplier ...
    (comp.security.misc)
  • RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
    ... When you have inherently more secure code in OS's ... "Windows" includes all the applications that come with Windows, ... Which is why they release security advisories for things like kernel ... This is why wu-ftpd keeps having new vulns discovered every year, ...
    (Full-Disclosure)