tags:

views:

1226

answers:

1
Q: 

Controlling access to a website with IIS/Active Directory

I need to secure a legacy help site on our network that points out to the world. Ideally, I want to have people authenticate with their active directory logins, because everybody in the company is already there, and they already know that stuff. Ideally, I'd need to set the default domain so people don't have to type that.

I have an example to model my solution after, but to call it weird is a bit of an understatement. Anonymous access is enabled, with authenticated access restricted to Integrated Windows Authentication and Basic Authentication, with no initial domain or realm set. The web.config file in the website has only this in its authentication field:

<authentication mode="Windows" /> <authorization> <deny users="?" /> <!-- Allow all users --> </authorization>

Of course, the site I am securing is pure HTML, so I am not even sure a web.config file will work. Is there a graceful, sustainable way to go about this? Unfortunately, I am unable to find much of anything on Google.

+1  A: 

Turn of anonymous authentication in IIS and enable Integrated Windows Authentication. That will work outside asp.net. If it's pure html, the web.config isn't being used.

Joshua Belden  2009-05-27 21:09:06
Is there a way to combine this with allowing/denying access by IP? I was using the allow/deny to restrict all external IPs while whitelisting our internal IPs...but the way it worked out is if it wasn't whitelisted, the client simply got a 403. I'd like to just give the user a chance to authenticate if they're off campus.
 2009-05-27 21:29:11
You can use them in combination but it's the most restrictive. If you turn on windows authentication than you can stop whitelisting address and just let the authentication keep unwanted visitors out, of course they'll get the access denied screen. Then anyone outside of the campus can still authenticate.
Joshua Belden  2009-05-27 21:37:09
I'm not sure I was clear. I would like to set it up so anyone on our campus is permitted immediate access through the anonymous user, without needing to authenticate. Anyone off-campus would have to authenticate. Right now, if I set up IP Address/Domain Name restrictions, anyone set up to be denied is simply denied, without the chance to authenticate.I know this seems superfluous, but this site is for some very non-technical people, so a small footprint is important.
 2009-05-27 21:40:25
There's got to be some clever way to set this up but I'm not sure what it is, IIS is a bit limited on the surface, gonna have to dig. You'll probably need to head towards the code side of things. In my experience, the simpler you have to make it for users, the more complicated it gets for developers.Is it a big html app, maybe rename them to .aspx and turn it into an asp.net app so you can use your web.config.
Joshua Belden  2009-05-28 15:10:57

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security