|
Home > Archive > IIS Server Security > May 2004 > SSL
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Melvin, Tom 2004-05-24, 4:32 pm |
| We have a Windows 2000/IIS 5.0 Server for our Intranet. Essentially, anyone inside our organization can access the site with no security required [e.g. passwords, etc.]. We would like to open this up, and allow people on the outside. However, how to we set this up to prompt for a username and password? We would still like to have internal access be open, but outside access to have to logon. We're all set on setting up the firewall, and NAT, etc. We just need assistance with the SSL/Username-password piece.
Thanks in advance!
| |
| news.aspware.net 2004-05-25, 4:32 pm |
| Well your password issue and the SSL issue are two different problems. The main thing SSL will do is provide a secure (encrypted) way to put in usernames and passwords.Go te verisign.com or Thawte.com for details on how to set up your server. Also Microsoft has detailed information on Windows 2000 certificate serv. (Virtually nothing on Windows 2003 Web Edition though)
There are a couple different ways to authenticate users. The first is easiest but will be harder to make the inside users login free and is a security issue in my opinion. The first way to secure a folder is to take off the anonymous settings from within IIS and then assign a custom group you created in advance from Active Directory. Now you have to add outside users to your Actice Directory network and assign them to a custom group you created in Active Directory. HOWEVER I don't like non-employees to have accounts in Active directory. and it will probably require some advance scripting to make it leave inside users alone.
The better way takes a bit more front end work in ASP or Java (possibly both) and can be scripted to determine the IP Address the user is from and decide if they need to logon or not. There are numerous logon scripts available on the web for .asp and .net that will authenticate users against a SQL or Access Database. You will have to add a few lines of code to get the IP Address from the users browser and compair the IPAddress of their browser with your internal IP address rnage. Every page that needs secured will have something like: (pretend your ip address range is 192.168.1.1 thru .255)
Psudo code....Its rough but will get you started!
varAuthenticated = Session("authenticated") (get session variables and store in Local variable)
varLocalUserSession("localUser") (get session variables and store in Local variable)
if varLocalUser = "" or varAuthenticated = "" (Check for logon session information from other pages.)
varAuthenticated = "False" (Sets varAuthenticated set to false because above statement true, nothing in variables)
End If
If varAuthenticated = "False" OR varLocaluser = "False" (if either is false Check for local IP or redirect to logon page if true code bypasses all following code and runs page)
code goes here to get Browsers IP address and store in variable named browserIP (look up on internet how to do this it is documented well on thousands of sites)
If browserIP < "192.168.1.1" or browserIP > "192.168.1.255" then (if the users IP address is less than ...1 or greater than ...255 this statement is true and next lines run if false else statement runs)
session("localUser") = False (set the session variable localUser to False )
Browser.redirect ("./logonpage") (and send them to the logon page to get authenticated)
else session("localUser") = True (If the above statement is false meaning their IP address in in your local network range their session variable localUser will get set to True)
End If
End If
I hope this helps I am reallly on a deadline and can't put alot of time into it but this should give you some hints.
"Melvin, Tom" <thomasmelvin@comcast.net> wrote in message news:O3JI6BaQEHA.4052@TK2MSFTNGP10.phx.gbl...
We have a Windows 2000/IIS 5.0 Server for our Intranet. Essentially, anyone inside our organization can access the site with no security required [e.g. passwords, etc.]. We would like to open this up, and allow people on the outside. However, how to we set this up to prompt for a username and password? We would still like to have internal access be open, but outside access to have to logon. We're all set on setting up the firewall, and NAT, etc. We just need assistance with the SSL/Username-password piece.
Thanks in advance!
|
|
|
|
|