Re: IIS 6 Integrated Security....risks??

Hi Roberto,

My first reaction was like David's, that you must have your
priorities as to what you want to protect. Your reply included
that you want to protect the domain.

So, I come at an answer to you from a somewhat different
place, as I am a Window infrastructure person, not specifically
and IIS guru. Other Active Directory experts, and myself, will
(probably always) be seen to advise that one never run IIS on
a domain controller, and that you always keep your domain
controller entirely inside your private network (i.e. not on the
edge). Those are two very significant steps one can take in
order to increase the security of one's domain infrastructure,
but they appear to be things you have not done.
You have also expressed interest in protecting the data that
is sent by IIS and in protecting the accounts.

Please understand, this is not saying that it is wrong or that
it is guaranteed unsafe, just that it brings risks to your entire
domain infrastructure that you could avoid and for which you
take on the need for added precautions.
This certainly can be done.
It is sort of like your having bought a big safe for your home
and put your valuables inside. But, after a while your wife
convinces you that she really, really misses seeing her most
prized diamond necklace so you have a window installed on
the side of the safe so that she can look at it. The result is
that the most valued part of the content of the safe is placed
at an unneeded weak spot in the protection. You need to make
that window out of very thick glass.

To protect the data sent you should have SSL3/TLS required
as others have advised.

To protect the accounts is however a little tricky. Apparently
people are logged in with these accounts when not inside your
network? so that these might travel over the internet to your
IIS's public interface? One problem with using Windows
integrated authentication is that whether it is used also will
depend on how the IE browser is configured, and it is too easy
for people to let IE send IWA responses to any other webserver,
which is generally considered bad and a risk. The client boxes
would need to be configured to send IWA responses only to
known machines. When done correctly IWA is possibly
better than is basic wrapped within SSL3/TLS, but it also does
imply that their domain accounts are being used on machines
that are not within the internal network, which itself has risks
for those accounts and the privacy/integrity of what those accounts
can access in the domain infrastructure.

Roger


"Roberto López" <rlopez@xxxxxxxxxxxxxxxx> wrote in message
news:O%23GrfGoMIHA.4480@xxxxxxxxxxxxxxxxxxxxxxx


"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
news:OE0nqFjMIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx

"Roberto López" <rlopez@xxxxxxxxxxxxxxxx> wrote in message
news:uqen02bMIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
My first concern is to ensure that the domain server and all data on it
is
sure.

Integrated Windows Authentication does not secure your server, or the
data
on it.

And the user names and passwords are secured.

Windows already stores usernames and passwords securely. You need to
protect
these "in transit", and also to ensure that user's do not disclose them
to
others

But, with Integrated Windows Autentication the user name and password, as
far as I know, are sent encrypted?

We do not want users to have to write name and password a lot of times.

Write it where? You mean enter them?

Yes, we do not want a lot of forms to enter "user and password" to access
asp.net application.

And
we do not want that users have many different names and passwords to
remember.

So, you need a single authentication store - something like Active
Directory. IWA doesn't help with this per se, because other
authentication
mechanisms (like Basic or Digest Auth) can also use AD acconts.


The data that is being passed on those web pages needs to be protected
too.
I think I need SSL to this?

Yes - SSL/TLS is one technology you can use for this. Or IPSec is
another.

Cheers
Ken


Thanks a lot.




.

Relevant Pages

  • Re: Tips on removing spyware
    ... >> there is more that can and should be done to protect the machine even ... >> I'll mainly work around Windows XP, as that is what the bulk of this ... >> understand and utilize good passwords. ... >> Why you should use a computer firewall.. ...
    (microsoft.public.security)
  • Re: Why shouldnt MS Fingerprint reader not be used to protect sensitive data?
    ... Windows XP - Shell/User ... Protect Your PC! ... | Frustrated with the bounty of passwords, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Automatically logs off after logging on
    ... How to Perform a Windows XP Repair Install ... Protect Your PC! ... "Jeremiah Clinkerbuilt" wrote: ... | two accounts one password protected the other not. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Internet Explorer and passwords
    ... upgrade to Windows XP. ... Windows XP - Shell/User ... Protect your PC! ... internet with IE 6 I have notice that my passwords to log onto various websites no longer work. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: windows remembering passwords
    ... > passwords that I have asked windows to remember does any one know how ... Please respond in Newsgroup only. ... Protect your PC ...
    (microsoft.public.windows.inetexplorer.ie6.browser)