Security difference between replacing IUSR_XXX account and no anonymousaccess

[Glen Scott]

Hi, I'm writing an ASP app that administers an ISA server remotely.
The fact that it's an ISA server isn't my problem I believe.

My question? What is the security difference between disabling
anonymous access and using account X from the web client, versus
allowing anonymous access but using account X as the account that runs
the application?

When I configure my web application to allow anonymous access, but
set the anonymous process to use account X, my ASP code works (the ASP
code can administer my ISA Server). When I disable anonymous access, and
I log into the web application using the same account X I mention above,
I get an error 80070005 when my ASP code tries to connect to my ISA
server to administer it.

I would think the above two options would be equivalent, but they're
not.

What is the difference?

Thanks,
Glen Scott

 

[Roland Hall]

in message
: Hi, I'm writing an ASP app that administers an ISA server remotely.
: The fact that it's an ISA server isn't my problem I believe.
:
: My question? What is the security difference between disabling
: anonymous access and using account X from the web client, versus
: allowing anonymous access but using account X as the account that runs
: the application?
:
: When I configure my web application to allow anonymous access, but
: set the anonymous process to use account X, my ASP code works (the ASP
: code can administer my ISA Server). When I disable anonymous access, and
: I log into the web application using the same account X I mention above,
: I get an error 80070005 when my ASP code tries to connect to my ISA
: server to administer it.
:
: I would think the above two options would be equivalent, but they're
: not.
:
: What is the difference?

What are the NTFS permissions and what authentication method are you using?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Glen Scott]

in message
...
:
: My question? What is the security difference between disabling
: anonymous access and using account X from the web client, versus
: allowing anonymous access but using account X as the account that runs
: the application?
:
...

What are the NTFS permissions and what authentication method are you using?

I was using plain text authentication when disabling anonymous access.

I'm really looking for some understanding as to what different
permissions the web app process is given depending on the configuration.

For example, what does a) enabling anonymous access using a high
permission account give that b) windows integrated security not give and
c) plain text authentication does not give?

Thanks for your help,
Glen Scott

 

[Roland Hall]

in message
: Roland Hall wrote:
:
: >"Glen Scott" wrote in message
: >: >...
: >:
: >: My question? What is the security difference between disabling
: >: anonymous access and using account X from the web client, versus
: >: allowing anonymous access but using account X as the account that runs
: >: the application?
: >
: >What are the NTFS permissions and what authentication method are you
using?
: >
: I was using plain text authentication when disabling anonymous access.

I believe that's called Basic Authentication.

: I'm really looking for some understanding as to what different
: permissions the web app process is given depending on the configuration.

Well, it's more than that. It also depends on how you first connect to the
web server itself. If anonymous, it will look for anonymous and if
integrated, then it will look for integrated for other pages. So, if you're
using Basic authentication, then you shouldn't be connecting anonymously
first.

: For example, what does a) enabling anonymous access using a high
: permission account give that b) windows integrated security not give and
: c) plain text authentication does not give?

Here is how I understand it to work:

The anonymous account uses the Internet Guest account. By default, the
password is handled automatically and you do not need to know what it is.
This way anyone (anonymously) can connect to your web server and retrieve
any document where they have rights to do so.

Basic authentication makes a request to retrieve a page and if the NTFS
permissions require authentication to the document, then you are prompted to
enter credentials of username/password [domain]. This is either sent across
the wire in plain text or encoded (not encrypted) so best only to use this
method with an SSL (secure - encrypted) connection.

Integrated authentication offers a challenge and the client responds and if
the challenge is met, the document is returned. It works similar to a
public/private key handshake where information is encrypted with the public
key, passed to the client and the client uses it's private key to decrypt
the page and respond with a result. It never passes the username/password
across the wire and since only the client can decrypt the message, the
server knows then the correct response is returned, the client has the right
credentials and returns the page.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag00/html/iis5auth.asp
http://msdn.microsoft.com/library/d.../en-us/vsent7/html/vxconIISAuthentication.asp

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp