I posted this question here before: https://security.stackexchange.com/questions/34405/iis-7-5-impersonation-threat but I thought I would try it here as well if that's ok.
I am using IIS 7.5 and I want to impersonate users for my different applications in an intranet environnement. To do so, I am considering using the asp.net mechanism with the user/password in the web.config (encrypted), but I'm unsure about some possible threats. I'll explain it with a concept (I know my example is useless but it represents my situation so please bear with me)
Let's say that I have 2 directories:
One empty directory (DirectoryA) that permits access to all users (ntfs permissions) and that contains a web.config that impersonates UserA
One directory (DirectoryB) containing a web site that I want to restrict access to, which also contains a web.config that impersonates UserA (same user as DirectoryA, not a typo)
To have the impersonation going on DirectoryB, I need to give ntfs permission allowing UserA in DirectoryB.
My question is: is it possible for someone to access DirectoryA (which will impersonate him as UserA) and then somehow access the site on DirectoryB using the impersonated UserA? If it is, how?
Thanks for any insight
Both process don't communicate with each other, so it is not possible for DirectoryA to communicate with DirectoryB unless a programmer code it like it.
Is it possible for someone to access DirectoryA (which will
impersonate him as UserA) and then somehow access the site on
DirectoryB using the impersonated UserA? If it is, how?
The only way that it could be possible is if DirectoryA specifically implement a feature that access DirectoryB directly. Otherwise it is safe.
However, you should really use a different identity for each process since the DirectotyB webSite will access its resources with UserA identity. Someone could use DirectoryA webSite to access the same resources used by DirectoryB....if it is coded so.
Related
Apologies in advance for sounding naive but I am new to this and stuck since days to no good.
I have set up LDAP on apache web server using below link and it is working good.
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
I am able to login to the application using a valid account in the directory. Now I want to create a non-ldap user (common user for API access) that can be allowed access through the web server? Is it possible? How?
I would strongly advise to create API accounts in your Active Directory. (in the company I work for, we use that and call them service accounts)
Centralizing access is the best practice, if you start mixing authentication methods in your application/website it can quickly become a nightmare of spaghetti code to maintain.
Centralizing access also improves security by allowing you to manage access in a single place.
If you do not want to go this way, you have the possibility to create a secondary authentication method through local users that would be stored in a database.
If you go this way, please do not store passwords in a non-encrypted way. Look for the following functions: password_hash and password_verify. When using SQL to transact with your database, make sure you do not end up with SQL injection, it can be disastrous to have SQL Injection in your login script.
I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.
Hi and thanks in advance,
I am looking for industry best practice or a ready made app to store and share passwords for for network resources.
My current situation is that I have a number of people that need to access applications as a specific superuser in order to access some features of these applications. The applications are third party build and cannot be changes to grant access to the required features for anyone but the superuser account. Normal admin accounts have elevated rights but things like creating accounts have to be done via the superuser account.
For security reasons I would like to periodically change the superuser accounts' password. Because of the number of people that need to be able to log in as superuser changing the password would be problematic and a logistical nightmare.
I'm looking to purchase or create an application that would:
Track who is looking up the password and to what resource
Allow me to specify what passwords a user can retrieve
The data should be stored and transmitted ultra securely
Preferable this would be an on-line application (I have Mac and Windows clients)
Keypass is great for this kind of thing. It provides a strong encrypted database of passwords and secure information. This can be accessed share via svn/dropbox/fileshare implementations using a master password.
This is more for a master database of secure data you can set up additional databases, maybe per user, but it starts to get a little away from what it's deigned for.
I would do a C# app that checks with a web service if the user can run the app and with what permissions, it would then be sent the encrypted credentials for a 1 time run, the service would log the request. This would all have to be done securely, so the service would use SSL and preferably certs between the systems. You have a good bit of research here to figure this all out, and you might have to use Java if you want mac... but I dont know how well that can launch apps as other users.
Solution #2 would be to use KeePass. You will have to be creative.
I'm new to WIF - sorry in advance if my questions seems to be very basic...
I have a 1 WebSite lets say localhost that require username/password authentication. Access to //localhost/ForSecuredClientsOnly should require only client certificate to access the site.
AFAIK client certificates authenticaion is handled by IIS, how should I handle this problem if I want to use STS?
My ideas:
Use 1 STS, set IIS to Accept certificate (not to require) and read certificate in STS and figure out whether user can access the resource.
I was reading through http://msdn.microsoft.com/en-us/library/ff359105(v=PandP.10).aspx and
http://blogs.msdn.com/b/eugeniop/archive/2010/04/03/wif-and-mvc-how-it-works.aspx but when I'm already logged in to //localhost and try to access //localhost/ForSecuredClientsOnly STS thinks that I'm a valid user.
I'm returning new Redirect result from ForSecuredClientsOnly (path from SignInRequestMessage, since user does not belongs to group X) but the realm is always: //localhost/ (probably it's expected behaviour and reason why user is authenticated ...)
Use 2 STSs and move //localhost/ForSecuredClientsOnly to //securedClients.localhost. I don't really like idea of having 2 STSs though
Have 1 STS and create to websites pointing to the same STS. I hope that then in STS I'll see that sign-in request is going from different realm and then perform either username/password of client certificate authentication? I would also prefer not to use that option since it's not ideal if I need to create new website per section of the site that requires different authentication.
Questions:
I would like to make idea number 1 working but how can I pass different realm depending on site subsection, I see that I can set HomeRealm property on SignInRequestMessage but how can I later read it in STS? (User.Identity.IsAuthenticated is always true in STS if I already logged in to //localhost).
Should I be using HomeRealm at all to distinguish between site sections?
If you have ideas what's the best approach to read and validate client certificate in STS please let me know. Currently I'm thinking that I should check whether certificate Thumbnail is one of the certificates that I'm allowing - store collection on client certificate Thumbnails in database?
I appreciate all your input.
I think it will be worth looking at the Starter STS community project at Codeplex.
Is it possible to access a sharepoint web service without authenication? If you can't do it directley can you think of any ways to get round it such as haveing an open service inbetween that does authenicate for you using a public account.
John,
The security model of the web application through which you're trying to access the web service in question is going to drive whether or not you can access the service anonymously. If you're attempting to access the web service through a web application on which anonymous access is enabled, then you'll be able to hit the web service. Go ahead and try this on an anonymous site (if you have one): http://yoursitehere/_vti_bin/lists.asmx. You'll get the friendly service page back, no auth required.
Here's the catch: once you traverse the web service layer, you've got another layer of security to deal with. SharePoint itself is going to want to check permissions for access via the web services just as it normally would, so unless you are attempting an operation or trying to access data that is allowed for anonymous users, you're going to get blocked.
You have a handful of options:
Simply ensure that everything you're trying to do is permitted anonymously. This may sound easy, but it can actually be pretty difficult for anything but the simplest and straightforward of operations. Most organizations, too, don't care for opening things up to this extent.
If you control the code that's calling the web service, then you have the ability to attach credentials to the web service request. I recommend starting here, as it is going to make things a lot easier than trying to throw everything wide open. Plenty of examples exist on attaching credentials to a web service proxy (e.g., http://msdn.microsoft.com/en-us/security/cc178918.aspx)
Finally, you could write your own web service that wraps the SharePoint web service (or services) of interest. You could permit anonymous access to your web service and then adopt an appropriate security context within your own service to access SharePoint with the required permissions level.
I hope this helps!
Sean
I don't think you can, most actions the webservices perform need an explicit user with the correct permissions set. If both sites are internal, your options might include
Using automatic NTLM authentication, give the complete Authenticated Users group the necessary acecss. Using IE or the proper extensions to FireFox credentials will be automatically passed without user prompting. Your mileage may vary.
Passing the proper credentials to a default user explicitly in the call to the webservice
from that other website.
If you feel creative, here is a blog from Reza Alirezaei where he walks through the steps of mapping the anonymous user onto a specific account. If you manage to give that acount the proper permissions, you are there. Not for the faint of heart, though.