RE: Prevent security bypass

Number one recommendation is to upgrade to ASP.NET. It has build in form authentication and can secure pages at any level.

-----Original Message-----
From: Mark Mcdonald [mailto:m.mcdonald@cgl.com.au] Sent: February 4, 2003 7:08 PM
To: 'Chris Neil'
Cc: 'webappsec@securityfocus.com'
Subject: RE: Prevent security bypass

Here's one method of securing through IIS:

• Open up Internet Service Manager
• Find the directory or file(s) you wish to secure (they can been anything from txt to pdf to html to whatever) in the tree on the left-hand side (if a directory - right-hand side for individual file lock-down)
• Right-click the directory / file and select Properties
• If securing a file, select the File Security tab, if securing a directory, select the Directory Security tab
• Select the Edit button in the top third of the property sheet
• Modify the security here I suggest turning off Anonymous access if you want to secure the documents, and turning on Challenge/Response (NTLM) authentication if you're users are all logged in on the network, or using Basic authentication if you wish for a username/password dialog to prompt them. Make sure all the accounts you wish to access it have accounts in the specified domain.

HTH!
Mark.

	Mark McDonald | CGL
		it | web developer

-----Original Message-----
From: Chris Neil [mailto:Chris.Neil@abs-ltd.com] Sent: Wednesday, February 05, 2003 1:00 AM To: 'webappsec@securityfocus.com'
Subject: Prevent security bypass

I am new to this mailing list and so hope this conforms to the guidelines as
I read them.

How do people address the issue of non-authenticated users requesting html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the user is logged in, but
with html pages we cannot.
My only idea so far is to convert all our html pages to asp. Is there anything less drastic?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Chris Neil
  Security Officer
  Chris.Neil@abs-ltd.com

• DISCLAIMER

  ---

  This e-mail and any attachments to it are confidential. If you receive them in error, please tell us immediately and delete them. You must not retain, distribute, disclose or otherwise use any information contained in them.

Before opening or using any attachments with this e-mail you should check
them for viruses and other defects. The sender does not warrant that they
will be free from computer viruses or other defects.