Re: User configuration question
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/04/05
- Previous message: Richard L Rosenheim: "Re: User configuration question"
- In reply to: Richard L Rosenheim: "Re: User configuration question"
- Next in thread: Richard L Rosenheim: "Re: User configuration question"
- Reply: Richard L Rosenheim: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 18:15:10 -0700
I have read over the further info you have provided, and it does
sound like you have a good handle on it. However, most of your
safety is in 1) VPN not being available to those accounts, and,
2) the firewall remaining in effect as you have stated.
It is in my view good to harden for the "in case" scenario as
long as it is cost effective to do so. Those accounts are configured
in their account properties to no be allowed as VPN users, right?
For an example of (perhaps) redundant precaution, having found
they can still IIS login without being n Domain Users does not
in itself stop them from access to other boxes in the environment
if they can route off the box since Authenticated Users being in
the local Users group of the client machines will probably be
effective to allow them access to a client machine. This is
where use of the security group of these web users in the policies
to Deny local and network login would be a strong precaution on
those other boxes.
Now, just how far you go is a good question, given that if they
were to mount a privilege elevation via the http access, then they
would have the whole farm as it is the DC. So, you really need
to make sure that IIS is maintained regarding patches, and also
tightened in some ways IIS 6 does allow beyond the defaults
(the security guidance for IIS at microsoft.com/technet/security
would serve you well here).
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Richard L Rosenheim" <richard@rlr.com> wrote in message news:u2S7YPEIFHA.3760@TK2MSFTNGP12.phx.gbl... > There's only one network card in the system, and everyone in question will > be accessing the computer via the Internet. There's a firewall (i.e., > router) for which only the SMTP, HTTP/HTTPS, FTP and VPN ports are opened. > > But, you touched upon the grist of my original question. Since the users > have to be authenticated by AD to access the web site, I'm concern that I > may unknowingly be granting them access to areas other than the web site. I > will actually be creating a security group in which I will put the users > into, and granting permission to the web site to the actual security group. > I will be denying them remote access permission, nor setting up an Exchange > mail for them. And I won't configure their FTPRoot/FTPDir settings (or > configure it a non-existence location). (Note: FTP was configured to use AD > User Isolation). > > So, as best as I can figure, that should prevent them from VPNing into the > system, so they won't be able to connect that way. FTP shouldn't let them > connect as the "home directory" will be invalid. And, without a mailbox, > Exchange hopefully won't let them do anything. > > I've also found out that I can even remove them from the "Domain Users" > group, which should help too. > > But then, it's the thousands (millions?) of details about Windows 2003/SBS > that I don't know which gives me com concerns. > > Thanks again for your feedback, > > Richard Rosenheim > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%23cNDXNAIFHA.2784@TK2MSFTNGP09.phx.gbl... > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > > news:ui3$hn3HFHA.572@tk2msftngp13.phx.gbl... > > > No, this is not a web farm -- single computer system (actually a SBS > 2003 > > > system). And to answer your question, I'm not running Terminal > Services. > > > > > > I'm using AD user accounts as I'm not aware of another way of doing it. > > > But, I'm open to suggestions. > > > > > > From what I understand of your reply, if I only grant them NTFS > permission > > > to the folder I wish to allow them to access, and I don't allow them > > > VPN/Dial-in access, then I'm okay about them not being able to access > > other > > > portions/resources of the system. > > > > > > Thanks for the reply, > > > > > > Richard Rosenheim > > > > > > > Well, that changes things some, as an SBS03 is a domain controller, > > and so you only have domain accounts available. Normally we do > > not recommend use of IIS on a DC - but in a single server SBS > > environment you do not have a choice. > > > > What you need to do is > > 1. be aware of what all groups the accounts are in, like Domain Users > > 2. understand what those memberships will enable > > 3. examine all ways that they can get at the system, physical or over > > the network > > 4. guard each login form that those ways of getting to the system > > would allow. > > > > In the smaller SBS environment use of the user rights settings > > in a GPO that applies to all machines except that where the > > web resides might be viable. The settings are the ones to > > Deny local login and to Deny network login (or similar wording). > > That will prevent the account from most uses on any other computer > > that is in the SBS domain. > > Then you just need to control access on the machine with the web > > content. Allowing access to the web content is done with NTFS > > permissions. The bigger issue is disallowing access to anything > > else. For that you really need to examine the exposures, because > > to be authenticated by IIS for access to the web content the accounts > > will need some user rights, and, being in users group will grant > > them access where you may not want. There are a lot of variables > > at this point, that are best narrowed down by looking at the exact > > specifics of the one machine, and this is complicated by its being > > the SBS03 DC. For example, we do not know from where these > > users will access the web (the outside world?, the local office?) > > and we do not know if the server is multihomed with one interface > > internal and one to the network, or if it is all local with one network > > interface, or . . . > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > > > news:Oe2$aliHFHA.1096@tk2msftngp13.phx.gbl... > > > > First, if you are not using a web farm and the application does > > > > not require the user to go off-box as themselves, such as to a > > > > SQL server back-end, then why are you using AD user accounts? > > > > If you want to make sure that they cannot access anything except > > > > things (webs) on one server, then use of machine local accounts > > > > on that server is one of the most strong enforcements of that > > > > safeguard that you can get. > > > > > > > > Now, as to your ?? > > > > > Is it possible to create an user in the Active Directory > > > > > and restrict them only to accessing a single web site? > > > > Yes, it is possible, but you need to have the right environment > > > > established in your AD infrastructure in order to do so. > > > > Specifically you need to have taken control over the membership > > > > of the machine local Users group on all machines, and/or of the > > > > User Rights to Log on locally and to Log on over the network > > > > on every machine. The default settings will not be working in > > > > your favor this regard. > > > > > > > > If the AD is structured so that you can restict the account to > > > > the one webserver, or if the website is confined to one machine > > > > only, then it is only a matter of controlling access on that one > > > > machine. > > > > > The web site is configured to use Windows authentication, and I wish > > to > > > > > grant specific users access to the web site. > > > > Not a problem. Use NTFS permissions effectively. The account > > > > (post-NT4) will likely need to be a member of the macine local Users > > > > group if the website is much more that static html, but otherwise > those > > > > accounts only need read on the websites content files. > > > > > > > > > But, I also don't want them to > > > > > be able to actually log into the server, > > > > Do not run Terminal Services or if so, make sure you control what > > > > accounts are permitted, and, take physical security over your server > > > > so they cannot get to it. It depends on how the users will access the > > > > web content (IE browse, FrontPage for content update, etc.) whether > > > > the account need Local, Network, or both login rights. Hence, you > > > > must block their access to login in other fashions. > > > > > > > > > or access any files or resources on > > > > > the server, except for that one specific web site. > > > > User NTFS permissions (and if present, share level permissions) > > > > effectively. It they cannot log into a desktop (per prior comments) > > > > then you only need to make sure they are blocked from inappropriate > > > > network logins (shares). > > > > > > > > -- > > > > Roger Abell > > > > Microsoft MVP (Windows Security) > > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > > > > news:O8GohiTHFHA.720@TK2MSFTNGP10.phx.gbl... > > > > > Is it possible to create an user in the Active Directory and > restrict > > > them > > > > > only to accessing a single web site? > > > > > > > > > > The web site is configured to use Windows authentication, and I wish > > to > > > > > grant specific users access to the web site. But, I also don't want > > > them > > > > to > > > > > be able to actually log into the server, or access any files or > > > resources > > > > on > > > > > the server, except for that one specific web site. > > > > > > > > > > Any suggestions, recommendations, helpful URLs? > > > > > > > > > > Richard Rosenheim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Previous message: Richard L Rosenheim: "Re: User configuration question"
- In reply to: Richard L Rosenheim: "Re: User configuration question"
- Next in thread: Richard L Rosenheim: "Re: User configuration question"
- Reply: Richard L Rosenheim: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
