|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Prevent security bypass
Date: Tue Feb 04 2003 - 23:25:28 EST
Chris,
An easy way to accomplish this would be to add NTLM authentication to your existing login form. First, create a single directory in which your protected files reside. Turn off Anonymous access to the directory and it's children. Add a low privilege user to the machine that has as few rights as possible. On the file system add this user with read only access to the directory. All files and directories below the protected HTML root should inherit permissions from it's parent. Finally, modify your asp login form to add NTLM authentication to the login process. Authenticate each user as the low privileged NT user created earlier, in addition to your standard form/session user authentication. Obviously NT authentication should only take place if the user has a valid form based login. This should meet your needs for protecting your HTML files and ensuring that your web app users are not gaining undue rights on your web server(s).
-Logan
-----Original Message-----
From: Chris Neil [mailto:Chris.Neil@abs-ltd.com]
Sent: Tuesday, February 04, 2003 12:00 PM
To: 'webappsec@securityfocus.com'
Subject: Prevent security bypass
I am new to this mailing list and so hope this conforms to the
guidelines as
I read them.
How do people address the issue of non-authenticated users requesting
html
pages directly from a site without logging in?
FYI. This is an IIS server. Our asp pages check the user is logged in,
but
with html pages we cannot.
My only idea so far is to convert all our html pages to asp. Is there
anything less drastic?
Chris Neil
Security Officer
Chris.Neil@abs-ltd.com
ABS
Tel: +44 (0) 1993 771221
Fax: +44 (0) 1993 775081
Received on Wed Feb 5 07:05:41 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |