Anonymous Authentication and Security

K

Kevin R.

Hello All:

One of my controls in my ASP.NET application requires that IIS Anonymous
Access to be turned off. It also needs to have the following tag in
web.config:
<identity impersonate="true"/>
My question is does the above configuration pose a security risk that I
should be aware of, and if so how can I mitigate it.

Thx in advance,
kr
 
R

Raterus

Whoa..red flag, your control HAS to have Anonymous Access..? That sounds odd...very odd.. and rather ridiculous. As far as asp.net is concerned, it doesn't really care what authentication method was used by IIS, just that it worked.

Some will argue that you should never use <identity impersonate="true" />, rather impersonate from code found in the following link. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

It makes sense, most of the execution operations of your application don't need to run with impersonation, so there is no need to have the execution always impersonating. I think it confounds your code though, so I usually just use <identity impersonate="true" />, much easer to code. Up to you of course.

--Michael
 
K

Kevin R.

Michael,

Thanks for your reply. Yes, indeed I use the suggested code to isolate
impersonation to the page loading the control that requires
impersonation (I used the web.config example for clarity here). But, I
still do no fully understand the implications of having IIS anonymous
authentication turned off (disabled anonymous access in IIS). What is
the "red flag" you are referring to!

Can anyone explain it here or refer me to a good source.

Much appreciated,
kr
 
K

Kevin R.

Michael,

Thanks for your reply. Yes, indeed I use the suggested code to isolate
impersonation to the page loading the control that requires
impersonation (I used the web.config example for clarity here). But, I
still do no fully understand the implications of having IIS anonymous
authentication turned off (disabled anonymous access in IIS). What is
the "red flag" you are referring to!

Can anyone explain it here or refer me to a good source.

Much appreciated,
kr
 
R

Raterus

Sorry, I misread your original post, I thought you needed anonymous authentication turned on. If it is off, and you aren't impersonating, except through code, you should be very secure.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

web.config and Anonymous Authentication problems ??? 0
anonymous access and authentication 2
IIS-authentication : 'Anonymous' 0
Anonymous and Windows Authentication 2
Windows Authentication 4
anonymous access account for sqlConnection 1
authentication error when using integrated security 1
Public ASP.NET app and SQL Server security - best practices? 4

Members online

Total: 41 (members: 2, guests: 39)
Robots: 443

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,049
Latest member
Allen00Reed

Latest Threads

Top