I
InstantKiwi
Hi All,
I am an applications developer with very basic knowledge of networking
security concepts so please bear with while I try my best to explain
the situation.
I am looking for some best practice advice for how to structure the
infrastructure for an internet facing web application. Here are some
basic details of what we currently have in our environment...
- Win2K3 on all servers
- ISA 2004
- Connections are only allowd to be made to my SQL Server instance
using Windows authentication
- My SQL Server is a member of my internal domain so that my internal
AD users can access certain data using various internal applications
(MS Office, custom apps, etc).
We are developing an ASP.NET 2.0 web application designed to capture
data from a known set of external users from a number of different
external organisations. Our design is to create a new OU in our
internal AD to use as the credential store for these users/groups. We
will simply be using AD to authenticate users so we will not have to
extend the AD schema. We will store all our extended user details in
our application database.
Given that I am only allowed to use Windows authentication against SQL
Server then my web application must either:
1. Impersonate an explicit domain account; OR
2. Impersonate the logged on user (being a domain account user)
Either way it would seem to me that the web server will either
1. Have to be a member of my internal domain; OR
2. Sit in the DMZ with a whole raft of holes in the internal firewall
to accomodate windows auth.
What is the best way to do this in a secure manner?
I have done a fair bit of searching around to find "best practice"
articles for essentially deploying an internet facing web application
that must use windows authentication to connect to a database server on
the internal domain but seem to have come up short. Any suggestions
would be greatly appreaciated.
I am an applications developer with very basic knowledge of networking
security concepts so please bear with while I try my best to explain
the situation.
I am looking for some best practice advice for how to structure the
infrastructure for an internet facing web application. Here are some
basic details of what we currently have in our environment...
- Win2K3 on all servers
- ISA 2004
- Connections are only allowd to be made to my SQL Server instance
using Windows authentication
- My SQL Server is a member of my internal domain so that my internal
AD users can access certain data using various internal applications
(MS Office, custom apps, etc).
We are developing an ASP.NET 2.0 web application designed to capture
data from a known set of external users from a number of different
external organisations. Our design is to create a new OU in our
internal AD to use as the credential store for these users/groups. We
will simply be using AD to authenticate users so we will not have to
extend the AD schema. We will store all our extended user details in
our application database.
Given that I am only allowed to use Windows authentication against SQL
Server then my web application must either:
1. Impersonate an explicit domain account; OR
2. Impersonate the logged on user (being a domain account user)
Either way it would seem to me that the web server will either
1. Have to be a member of my internal domain; OR
2. Sit in the DMZ with a whole raft of holes in the internal firewall
to accomodate windows auth.
What is the best way to do this in a secure manner?
I have done a fair bit of searching around to find "best practice"
articles for essentially deploying an internet facing web application
that must use windows authentication to connect to a database server on
the internal domain but seem to have come up short. Any suggestions
would be greatly appreaciated.
