Re: User configuration question
From: Richard L Rosenheim (richard_at_rlr.com)
Date: 03/04/05
- Next message: Jarryd: "Re: Exportable computer certificate"
- Previous message: Roger Abell: "Re: User configuration question"
- In reply to: Roger Abell: "Re: User configuration question"
- Next in thread: Roger Abell: "Re: User configuration question"
- Reply: Roger Abell: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 18:00:37 -0800
Nice to hear that I'm actually am stumbling along the right path.
Thanks for the advice about still possibly being able to access other boxes
via IIS login. I'll keep that in mind. At the moment, it's the only box in
the network. I am looking to adding up a 2nd box strictly for
experimentation purposes (i.e., nothing that really needs to be protected).
I'll go over the link you suggested. It's a checklist! That's great.
Usually these security things are more conceptual in natural, and gets above
me quickly. Checklists, I'm much better at. In briefly glancing at the
link, I did notice mention of IISLockdown and URLScan. Do those still need
to be run on a 2003 box?
Thanks again for all your assistance,
Richard Rosenheim
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%231bChcFIFHA.3364@TK2MSFTNGP10.phx.gbl...
> I have read over the further info you have provided, and it does
> sound like you have a good handle on it. However, most of your
> safety is in 1) VPN not being available to those accounts, and,
> 2) the firewall remaining in effect as you have stated.
> It is in my view good to harden for the "in case" scenario as
> long as it is cost effective to do so. Those accounts are configured
> in their account properties to no be allowed as VPN users, right?
> For an example of (perhaps) redundant precaution, having found
> they can still IIS login without being n Domain Users does not
> in itself stop them from access to other boxes in the environment
> if they can route off the box since Authenticated Users being in
> the local Users group of the client machines will probably be
> effective to allow them access to a client machine. This is
> where use of the security group of these web users in the policies
> to Deny local and network login would be a strong precaution on
> those other boxes.
> Now, just how far you go is a good question, given that if they
> were to mount a privilege elevation via the http access, then they
> would have the whole farm as it is the DC. So, you really need
> to make sure that IIS is maintained regarding patches, and also
> tightened in some ways IIS 6 does allow beyond the defaults
> (the security guidance for IIS at microsoft.com/technet/security
> would serve you well here).
> http://www.microsoft.com/technet/security/prodtech/IIS.mspx
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Richard L Rosenheim" <richard@rlr.com> wrote in message
> news:u2S7YPEIFHA.3760@TK2MSFTNGP12.phx.gbl...
> > There's only one network card in the system, and everyone in question
will
> > be accessing the computer via the Internet. There's a firewall (i.e.,
> > router) for which only the SMTP, HTTP/HTTPS, FTP and VPN ports are
opened.
> >
> > But, you touched upon the grist of my original question. Since the
users
> > have to be authenticated by AD to access the web site, I'm concern that
I
> > may unknowingly be granting them access to areas other than the web
site.
> I
> > will actually be creating a security group in which I will put the users
> > into, and granting permission to the web site to the actual security
> group.
> > I will be denying them remote access permission, nor setting up an
> Exchange
> > mail for them. And I won't configure their FTPRoot/FTPDir settings (or
> > configure it a non-existence location). (Note: FTP was configured to use
> AD
> > User Isolation).
> >
> > So, as best as I can figure, that should prevent them from VPNing into
the
> > system, so they won't be able to connect that way. FTP shouldn't let
them
> > connect as the "home directory" will be invalid. And, without a
mailbox,
> > Exchange hopefully won't let them do anything.
> >
> > I've also found out that I can even remove them from the "Domain Users"
> > group, which should help too.
> >
> > But then, it's the thousands (millions?) of details about Windows
2003/SBS
> > that I don't know which gives me com concerns.
> >
> > Thanks again for your feedback,
> >
> > Richard Rosenheim
> >
> >
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:%23cNDXNAIFHA.2784@TK2MSFTNGP09.phx.gbl...
> > > "Richard L Rosenheim" <richard@rlr.com> wrote in message
> > > news:ui3$hn3HFHA.572@tk2msftngp13.phx.gbl...
> > > > No, this is not a web farm -- single computer system (actually a SBS
> > 2003
> > > > system). And to answer your question, I'm not running Terminal
> > Services.
> > > >
> > > > I'm using AD user accounts as I'm not aware of another way of doing
> it.
> > > > But, I'm open to suggestions.
> > > >
> > > > From what I understand of your reply, if I only grant them NTFS
> > permission
> > > > to the folder I wish to allow them to access, and I don't allow them
> > > > VPN/Dial-in access, then I'm okay about them not being able to
access
> > > other
> > > > portions/resources of the system.
> > > >
> > > > Thanks for the reply,
> > > >
> > > > Richard Rosenheim
> > > >
> > >
> > > Well, that changes things some, as an SBS03 is a domain controller,
> > > and so you only have domain accounts available. Normally we do
> > > not recommend use of IIS on a DC - but in a single server SBS
> > > environment you do not have a choice.
> > >
> > > What you need to do is
> > > 1. be aware of what all groups the accounts are in, like Domain Users
> > > 2. understand what those memberships will enable
> > > 3. examine all ways that they can get at the system, physical or over
> > > the network
> > > 4. guard each login form that those ways of getting to the system
> > > would allow.
> > >
> > > In the smaller SBS environment use of the user rights settings
> > > in a GPO that applies to all machines except that where the
> > > web resides might be viable. The settings are the ones to
> > > Deny local login and to Deny network login (or similar wording).
> > > That will prevent the account from most uses on any other computer
> > > that is in the SBS domain.
> > > Then you just need to control access on the machine with the web
> > > content. Allowing access to the web content is done with NTFS
> > > permissions. The bigger issue is disallowing access to anything
> > > else. For that you really need to examine the exposures, because
> > > to be authenticated by IIS for access to the web content the accounts
> > > will need some user rights, and, being in users group will grant
> > > them access where you may not want. There are a lot of variables
> > > at this point, that are best narrowed down by looking at the exact
> > > specifics of the one machine, and this is complicated by its being
> > > the SBS03 DC. For example, we do not know from where these
> > > users will access the web (the outside world?, the local office?)
> > > and we do not know if the server is multihomed with one interface
> > > internal and one to the network, or if it is all local with one
network
> > > interface, or . . .
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > >
> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > news:Oe2$aliHFHA.1096@tk2msftngp13.phx.gbl...
> > > > > First, if you are not using a web farm and the application does
> > > > > not require the user to go off-box as themselves, such as to a
> > > > > SQL server back-end, then why are you using AD user accounts?
> > > > > If you want to make sure that they cannot access anything except
> > > > > things (webs) on one server, then use of machine local accounts
> > > > > on that server is one of the most strong enforcements of that
> > > > > safeguard that you can get.
> > > > >
> > > > > Now, as to your ??
> > > > > > Is it possible to create an user in the Active Directory
> > > > > > and restrict them only to accessing a single web site?
> > > > > Yes, it is possible, but you need to have the right environment
> > > > > established in your AD infrastructure in order to do so.
> > > > > Specifically you need to have taken control over the membership
> > > > > of the machine local Users group on all machines, and/or of the
> > > > > User Rights to Log on locally and to Log on over the network
> > > > > on every machine. The default settings will not be working in
> > > > > your favor this regard.
> > > > >
> > > > > If the AD is structured so that you can restict the account to
> > > > > the one webserver, or if the website is confined to one machine
> > > > > only, then it is only a matter of controlling access on that one
> > > > > machine.
> > > > > > The web site is configured to use Windows authentication, and I
> wish
> > > to
> > > > > > grant specific users access to the web site.
> > > > > Not a problem. Use NTFS permissions effectively. The account
> > > > > (post-NT4) will likely need to be a member of the macine local
Users
> > > > > group if the website is much more that static html, but otherwise
> > those
> > > > > accounts only need read on the websites content files.
> > > > >
> > > > > > But, I also don't want them to
> > > > > > be able to actually log into the server,
> > > > > Do not run Terminal Services or if so, make sure you control what
> > > > > accounts are permitted, and, take physical security over your
server
> > > > > so they cannot get to it. It depends on how the users will access
> the
> > > > > web content (IE browse, FrontPage for content update, etc.)
whether
> > > > > the account need Local, Network, or both login rights. Hence, you
> > > > > must block their access to login in other fashions.
> > > > >
> > > > > > or access any files or resources on
> > > > > > the server, except for that one specific web site.
> > > > > User NTFS permissions (and if present, share level permissions)
> > > > > effectively. It they cannot log into a desktop (per prior
comments)
> > > > > then you only need to make sure they are blocked from
inappropriate
> > > > > network logins (shares).
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message
> > > > > news:O8GohiTHFHA.720@TK2MSFTNGP10.phx.gbl...
> > > > > > Is it possible to create an user in the Active Directory and
> > restrict
> > > > them
> > > > > > only to accessing a single web site?
> > > > > >
> > > > > > The web site is configured to use Windows authentication, and I
> wish
> > > to
> > > > > > grant specific users access to the web site. But, I also don't
> want
> > > > them
> > > > > to
> > > > > > be able to actually log into the server, or access any files or
> > > > resources
> > > > > on
> > > > > > the server, except for that one specific web site.
> > > > > >
> > > > > > Any suggestions, recommendations, helpful URLs?
> > > > > >
> > > > > > Richard Rosenheim
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Jarryd: "Re: Exportable computer certificate"
- Previous message: Roger Abell: "Re: User configuration question"
- In reply to: Roger Abell: "Re: User configuration question"
- Next in thread: Roger Abell: "Re: User configuration question"
- Reply: Roger Abell: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
