Intranet/Extranet Security

[bigfoot]

I have an Intranet/Extranet running asp applications on a corporate network behind the company firewall on an NT domain. I would like to use Windows Authentication to verify users’ identities for tracking / security purposes.

Originally, when users entered the site, the page checks for a Session Variable called “verified=Inside”, or “verified=Outside”. If not present, it redirects them out of the site.
We now purchased a

http://www.xyz.com

name and connected it to our firewall/site.

Now it’s too easy to get into the site.

How do I set up the site to be secure? Windows Challenge & Response?

From the outside, I want all users to go through a login page. From the inside, I want all my users to bypass this page and get into the Intranet.

Can anyone help me sort out this mess? I am using NT 4.0 and IIS 4.0.

Thanks, Gary

 

[BeSecure]

I would seriously advise against using Windows Challenge & Response to valadate users. Instead I would use some asp code that would basicly do the same thing. Here is a link to a vey good example.

http://www.planetsourcecode.com/xq/ASP/txtCodeId.6340/lngWId.4/qx/vb/scripts/ShowCode.htm

I hope this works for you,
Chris

http://www.secureinsights.com

 

[bigfoot]

Why? What's the deal with Windows Challenge & Response?

 

[harmmeijer]

To prevent users from having to fill out that irritating domain login and password for every intranet site you can use the following:
In IIS choose the properties of your virtual directory -> directory security -> click the top edit button (next to the text enable anonymous access and edit ....) -> leave only the bottom one and do not select the top 2 (windows nt challange/response.

In your asp page you can now check if someone is allowed to see the page or not with the following code:

<%
dim objDir
dim objFileSys
dim objSub
dim objFile
dim objChk
dim intCounter
set objChk = server.CreateObject (&quot;MSWC.Permissionchecker&quot
set objFileSys = Server.CreateObject(&quot;Scripting.FileSystemObject&quot
set myDir = objFileSys.GetFolder(&quot;C:\Inetpub\

http://wwwroot\myIntranet&quot;)

set objFile = objFileSys.GetFile(request.servervariables(&quot;APPL_PHYSICAL_PATH&quot & &quot;authorize.txt&quot
if not objChk.HasAccess(objFile) then
response.write &quot;<body onLoad='window.location=myothersite.htm'>&quot;
response.end
end if
set objChk = nothing
set objFileSys = nothing
set mydir = nothing
set ofjFile = nothing
%>

The file C:\Inetpub\

http://wwwroot\Intranetcontent\authorize.txt

disides who has access and who has not.
Just give the groups who have access to see a page some access to the file (full control is not needed just read is fine).

 

[bigfoot]

Is this secure?
If I'm comming in from the outside, how does the machine know me if I don't login?

 

[bigfoot]

What do I put into authorize.txt? The group name?

 

[harmmeijer]

You do not put anything in the authorize.txt, you use winnt security.
In the explorer(explorer.exe) you right click the authorize.txt and select properties -> security -> remove all users (uncheck the Allow inheritable permissions from parent to propagate to thisobject) -> add the appropriate groups (read permission will do fine).

Good luck.

 

[Guest_imported]

Why not just create one site (virtual site only) using an IP from your internal site and leave that open to your in house users. Then use your external IP (accessable from the outside world) to set up another site(virtual site pointing to the same directory as the first). If you set your IIS settings right you can force the outside users to enter their login. Make sure you create a group like &quot;WebUsers&quot; and put only the ppl you want to have access to your site. Then make sure that this group only has read access to your web folders. This will protect you on the IIS side as well as the file side as you will be using local permissions. Make sure you have your drive set up as NTFS too.

 

[bigfoot]

I like thar the best. Where can I find information on what settings to use.

I used windows challange & response, but that does'nt work on Netscape, or AOL.

I wanted to use NT's security, not an outside database, but I also like BeSecure's answer too.
I could not get harmmeijer's code to lock me out.