Security difference between replacing IUSR_XXX account and no anonymousaccess

Discussion in 'ASP General' started by Glen Scott, Jul 23, 2005.

  1. Glen Scott

    Glen Scott Guest

    Hi, I'm writing an ASP app that administers an ISA server remotely.
    The fact that it's an ISA server isn't my problem I believe.

    My question? What is the security difference between disabling
    anonymous access and using account X from the web client, versus
    allowing anonymous access but using account X as the account that runs
    the application?

    When I configure my web application to allow anonymous access, but
    set the anonymous process to use account X, my ASP code works (the ASP
    code can administer my ISA Server). When I disable anonymous access, and
    I log into the web application using the same account X I mention above,
    I get an error 80070005 when my ASP code tries to connect to my ISA
    server to administer it.

    I would think the above two options would be equivalent, but they're
    not.

    What is the difference?

    Thanks,
    Glen Scott
    Glen Scott, Jul 23, 2005
    #1
    1. Advertising

  2. Glen Scott

    Roland Hall Guest

    Re: Security difference between replacing IUSR_XXX account and no anonymous access

    "Glen Scott" wrote in message
    news:%...
    : Hi, I'm writing an ASP app that administers an ISA server remotely.
    : The fact that it's an ISA server isn't my problem I believe.
    :
    : My question? What is the security difference between disabling
    : anonymous access and using account X from the web client, versus
    : allowing anonymous access but using account X as the account that runs
    : the application?
    :
    : When I configure my web application to allow anonymous access, but
    : set the anonymous process to use account X, my ASP code works (the ASP
    : code can administer my ISA Server). When I disable anonymous access, and
    : I log into the web application using the same account X I mention above,
    : I get an error 80070005 when my ASP code tries to connect to my ISA
    : server to administer it.
    :
    : I would think the above two options would be equivalent, but they're
    : not.
    :
    : What is the difference?

    What are the NTFS permissions and what authentication method are you using?

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Jul 23, 2005
    #2
    1. Advertising

  3. Glen Scott

    Glen Scott Guest

    Re: Security difference between replacing IUSR_XXX account and noanonymous access

    Roland Hall wrote:

    >"Glen Scott" wrote in message
    >news:%...
    >...
    >:
    >: My question? What is the security difference between disabling
    >: anonymous access and using account X from the web client, versus
    >: allowing anonymous access but using account X as the account that runs
    >: the application?
    >:
    >...
    >
    >What are the NTFS permissions and what authentication method are you using?
    >
    >

    I was using plain text authentication when disabling anonymous access.

    I'm really looking for some understanding as to what different
    permissions the web app process is given depending on the configuration.

    For example, what does a) enabling anonymous access using a high
    permission account give that b) windows integrated security not give and
    c) plain text authentication does not give?

    Thanks for your help,
    Glen Scott
    Glen Scott, Jul 23, 2005
    #3
  4. Glen Scott

    Roland Hall Guest

    Re: Security difference between replacing IUSR_XXX account and no anonymous access

    "Glen Scott" wrote in message
    news:%...
    : Roland Hall wrote:
    :
    : >"Glen Scott" wrote in message
    : >news:%...
    : >...
    : >:
    : >: My question? What is the security difference between disabling
    : >: anonymous access and using account X from the web client, versus
    : >: allowing anonymous access but using account X as the account that runs
    : >: the application?
    : >
    : >What are the NTFS permissions and what authentication method are you
    using?
    : >
    : I was using plain text authentication when disabling anonymous access.

    I believe that's called Basic Authentication.

    : I'm really looking for some understanding as to what different
    : permissions the web app process is given depending on the configuration.

    Well, it's more than that. It also depends on how you first connect to the
    web server itself. If anonymous, it will look for anonymous and if
    integrated, then it will look for integrated for other pages. So, if you're
    using Basic authentication, then you shouldn't be connecting anonymously
    first.

    : For example, what does a) enabling anonymous access using a high
    : permission account give that b) windows integrated security not give and
    : c) plain text authentication does not give?

    Here is how I understand it to work:

    The anonymous account uses the Internet Guest account. By default, the
    password is handled automatically and you do not need to know what it is.
    This way anyone (anonymously) can connect to your web server and retrieve
    any document where they have rights to do so.

    Basic authentication makes a request to retrieve a page and if the NTFS
    permissions require authentication to the document, then you are prompted to
    enter credentials of username/password [domain]. This is either sent across
    the wire in plain text or encoded (not encrypted) so best only to use this
    method with an SSL (secure - encrypted) connection.

    Integrated authentication offers a challenge and the client responds and if
    the challenge is met, the document is returned. It works similar to a
    public/private key handshake where information is encrypted with the public
    key, passed to the client and the client uses it's private key to decrypt
    the page and respond with a result. It never passes the username/password
    across the wire and since only the client can decrypt the message, the
    server knows then the correct response is returned, the client has the right
    credentials and returns the page.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag00/html/iis5auth.asp
    http://msdn.microsoft.com/library/d.../en-us/vsent7/html/vxconIISAuthentication.asp

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Jul 23, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jakk
    Replies:
    4
    Views:
    12,052
  2. Petar Popara

    IIS user (IUSR_XXX) - CryptoAPI

    Petar Popara, Feb 21, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    99
    Petar Popara
    Feb 21, 2005
  3. Petar Popara

    IIS user (IUSR_XXX) - CryptoAPI (repost)

    Petar Popara, Feb 25, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    154
    Petar Popara
    Feb 25, 2005
  4. Rob Meade

    Replacing - and not Replacing...

    Rob Meade, Apr 5, 2005, in forum: ASP General
    Replies:
    5
    Views:
    262
    Chris Hohmann
    Apr 11, 2005
  5. Brian Bischof
    Replies:
    2
    Views:
    137
    Tom Kaminski [MVP]
    Oct 11, 2005
Loading...

Share This Page