Intranet Security & Authentication

Discussion in 'ASP General' started by CJM, Apr 29, 2004.

  1. CJM

    CJM Guest

    We have a simple intranet currently but as time goes by it is increasing in
    its complexity and its use.

    Some of the published content is only for the eyes of the select few.
    Currently this is restricted by a DB-driven menu system; all users can view
    standard content, but some users can login to view extra content. In
    reality, only the intranet menus are restricted - if a user knew the path of
    a restricted file, they could enter it into the address bar and access the
    file. A bigger problem is searching. I've built a limited-scope search
    facility using the indexing service, but if this was rolled out to the full
    site, there would be no way for this facility to discriminate between 'open'
    files and restricted files.

    We are looking to improve the intranet soon, but the biggest problem I have
    is which security model to choose. One of the ways we could probably
    overcome the shortfalls of the current situation is to move to Integrated
    Authentication. No login would be required, and AFAIK, the indexing service
    would only return files that the user is entitled to view(?). The problem
    with this scenario is with shared machines. For example, we are a group of
    manufacturing companies, and we have shared machines on the shopfloors - in
    most cases, the shop-floor staff have very limited access rights, but their
    chargehands and team leaders need greater priveleges. The way it tends to
    work is that one person logs onto the machine and all his colleagues share
    his machines (and use his account!). I've been assured that this habit is
    impossible to change!

    Under an integrated auth scenario, the team leaders would either have to
    share their privileges with their staff (very undesireable), or would have
    to loose their privileges (also undesireable). In the current system, they
    can log in and out of the intranet application as they wish.

    What would be ideal is a combination of the two models: to have a login (and
    logout) procedure that requires their Windows UID/Pwd. They could log in and
    out when restricted files were needed, and in addition, the indexing service
    search would be secured, and files would not be accessible directly via the
    address bar.

    I know the direct-access-through-address-bar problem can be solved by using
    an ISAPI extension/filter. I've also heard something about ADAM (Active
    Directory Application Mode), but I know very little about Integrated
    Authentication, Active Directory, or ADAM. [You could say I dont know ADAM
    from Adam... this probably is a very parochial joke]

    I'm praying that there is somebody out there who has been in the same boat,
    but failing that, ideas/suggestions/sympathy is welcomed from the floor.

    Thanks

    Chris
    CJM, Apr 29, 2004
    #1
    1. Advertising

  2. CJM

    [MSFT] Guest

    Hi Chris,

    If the windows integrated authentication is not suitable, you may consider
    some customized authentication. For example, the database, create an
    account table, including all accounts with powerfull permission. In your
    ASP, you may use a session variant to indicate if a powerful account is
    authenticated. If not, redirect it to a logon page when he request a high
    security page.

    You also can consider migrating to ASP.NET, wich support different
    authentication. For example, form authentication.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    [MSFT], Apr 30, 2004
    #2
    1. Advertising

  3. CJM

    CJM Guest

    "[MSFT]" <> wrote in message
    news:$ixJ%...
    > Hi Chris,
    >
    > If the windows integrated authentication is not suitable, you may consider
    > some customized authentication. For example, the database, create an
    > account table, including all accounts with powerfull permission. In your
    > ASP, you may use a session variant to indicate if a powerful account is
    > authenticated. If not, redirect it to a logon page when he request a high
    > security page.
    >


    I already have this design in place.

    The problem is that much of the content available are PDFs/Office Documents
    etc. If a user know where these documents are there is nothing stopping them
    from entering the address of the document in the address bar.You try telling
    an Excel spreadsheet to redirect to a login page! lol


    > You also can consider migrating to ASP.NET, wich support different
    > authentication. For example, form authentication.
    >
    > Luke


    ASP.NET is on my wish-list of things to learn, but it's not that
    straightforward.

    However, I should have a look and see if it can offer a better solution.

    Thanks
    CJM, Apr 30, 2004
    #3
  4. CJM

    Roland Hall Guest

    "CJM" wrote in message news:...
    : "[MSFT]" <> wrote in message
    : news:$ixJ%...
    : > Hi Chris,
    : >
    : > If the windows integrated authentication is not suitable, you may
    consider
    : > some customized authentication. For example, the database, create an
    : > account table, including all accounts with powerfull permission. In your
    : > ASP, you may use a session variant to indicate if a powerful account is
    : > authenticated. If not, redirect it to a logon page when he request a
    high
    : > security page.
    : >
    :
    : I already have this design in place.
    :
    : The problem is that much of the content available are PDFs/Office
    Documents
    : etc. If a user know where these documents are there is nothing stopping
    them
    : from entering the address of the document in the address bar.You try
    telling
    : an Excel spreadsheet to redirect to a login page! lol

    Yes there is. Don't put the files under a virtual root and look at
    TextStream.

    http://www.pstruh.cz/tips/detpg_read-write-binary-files.htm

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, May 1, 2004
    #4
  5. Hi Chris,

    Here is a Knowledge Base article that may help you implement what Roland's
    suggested:

    HOWTO: Read and Display Binary Data in ASP
    http://support.microsoft.com/?id=193998

    Also, if you are working in a domain environment, the Basic Authentication
    can be another way to go. For the sake of protecting password, you'd better
    use Basic Authentication together with SSL

    Regards,

    Felix Wu
    =============
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    >From: "Roland Hall" <nobody@nowhere>
    >References: <>

    <$ixJ#>
    <>
    >Subject: Re: Intranet Security & Authentication
    >Date: Fri, 30 Apr 2004 21:48:22 -0500
    >Lines: 42
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    >Message-ID: <#>
    >Newsgroups: microsoft.public.inetserver.asp.general
    >NNTP-Posting-Host: cs24175123-169.houston.rr.com 24.175.123.169
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
    .phx.gbl
    >Xref: cpmsftngxa10.phx.gbl microsoft.public.inetserver.asp.general:272044
    >X-Tomcat-NG: microsoft.public.inetserver.asp.general
    >
    >"CJM" wrote in message news:...
    >: "[MSFT]" <> wrote in message
    >: news:$ixJ%...
    >: > Hi Chris,
    >: >
    >: > If the windows integrated authentication is not suitable, you may
    >consider
    >: > some customized authentication. For example, the database, create an
    >: > account table, including all accounts with powerfull permission. In

    your
    >: > ASP, you may use a session variant to indicate if a powerful account is
    >: > authenticated. If not, redirect it to a logon page when he request a
    >high
    >: > security page.
    >: >
    >:
    >: I already have this design in place.
    >:
    >: The problem is that much of the content available are PDFs/Office
    >Documents
    >: etc. If a user know where these documents are there is nothing stopping
    >them
    >: from entering the address of the document in the address bar.You try
    >telling
    >: an Excel spreadsheet to redirect to a login page! lol
    >
    >Yes there is. Don't put the files under a virtual root and look at
    >TextStream.
    >
    >http://www.pstruh.cz/tips/detpg_read-write-binary-files.htm
    >
    >HTH...
    >
    >--
    >Roland Hall
    >/* This information is distributed in the hope that it will be useful, but
    >without any warranty; without even the implied warranty of merchantability
    >or fitness for a particular purpose. */
    >Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    >WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    >MSDN Library - http://msdn.microsoft.com/library/default.asp
    >
    >
    >
    Felix Wu [MSFT], May 3, 2004
    #5
  6. CJM

    Roland Hall Guest

    "Felix Wu [MSFT]" wrote in message
    news:w4K8$...
    : Here is a Knowledge Base article that may help you implement what Roland's
    : suggested:
    :
    : HOWTO: Read and Display Binary Data in ASP
    : http://support.microsoft.com/?id=193998
    :
    : Also, if you are working in a domain environment, the Basic Authentication
    : can be another way to go. For the sake of protecting password, you'd
    better
    : use Basic Authentication together with SSL

    Thanks Felix. This link may also be beneficial to the OP.

    http://www.pstruh.cz/tips/detpg_read-write-binary-files.htm

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, May 3, 2004
    #6
  7. CJM

    [MSFT] Guest

    Thank for Roland's suggestion about binary read. It should be a proper
    solution for this issue.

    By the way, I think this is also a reason which supports a migration to
    ASP.NET. Within ASP.NET HttpHandler, we also can handle the request to the
    files like PDF or DOC.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    [MSFT], May 4, 2004
    #7
  8. Sure :)

    Thanks,

    Felix Wu
    =============
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    >From: "Roland Hall" <nobody@nowhere>
    >References: <>

    <$ixJ#>
    <>
    <#>
    <w4K8$>
    >Subject: Re: Intranet Security & Authentication
    >Date: Mon, 3 May 2004 01:51:20 -0500
    >Lines: 29
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    >Message-ID: <emzA#>
    >Newsgroups: microsoft.public.inetserver.asp.general
    >NNTP-Posting-Host: cs24175123-169.houston.rr.com 24.175.123.169
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
    ..phx.gbl
    >Xref: cpmsftngxa10.phx.gbl microsoft.public.inetserver.asp.general:272146
    >X-Tomcat-NG: microsoft.public.inetserver.asp.general
    >
    >"Felix Wu [MSFT]" wrote in message
    >news:w4K8$...
    >: Here is a Knowledge Base article that may help you implement what

    Roland's
    >: suggested:
    >:
    >: HOWTO: Read and Display Binary Data in ASP
    >: http://support.microsoft.com/?id=193998
    >:
    >: Also, if you are working in a domain environment, the Basic

    Authentication
    >: can be another way to go. For the sake of protecting password, you'd
    >better
    >: use Basic Authentication together with SSL
    >
    >Thanks Felix. This link may also be beneficial to the OP.
    >
    >http://www.pstruh.cz/tips/detpg_read-write-binary-files.htm
    >
    >HTH...
    >
    >--
    >Roland Hall
    >/* This information is distributed in the hope that it will be useful, but
    >without any warranty; without even the implied warranty of merchantability
    >or fitness for a particular purpose. */
    >Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    >WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    >MSDN Library - http://msdn.microsoft.com/library/default.asp
    >
    >
    >
    Felix Wu [MSFT], May 7, 2004
    #8
  9. CJM

    Roland Hall Guest

    "Felix Wu [MSFT]" wrote in message
    news:...
    : Sure :)

    Holy S**T Batman! I didn't realize I already posted that link. On the
    upside, I don't drink alcohol so it could be worse, maybe...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, May 7, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick.O.Ige
    Replies:
    0
    Views:
    396
    Patrick.O.Ige
    Sep 30, 2005
  2. Patirck Ige
    Replies:
    4
    Views:
    398
    =?Utf-8?B?UGF0cmljay5PIC5JZ2U=?=
    Oct 31, 2005
  3. K Viltersten
    Replies:
    2
    Views:
    702
    K Viltersten
    Oct 6, 2008
  4. adam

    caspol & local intranet security

    adam, Jan 15, 2004, in forum: ASP .Net Security
    Replies:
    4
    Views:
    678
  5. kh

    Intranet security

    kh, Jul 9, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    183
    Joe Kaplan \(MVP - ADSI\)
    Jul 9, 2004
Loading...

Share This Page