|
Home > Archive > IIS Server Security > January 2005 > Intranet Design Question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Intranet Design Question
|
|
| Paul -- Whitmont 2005-01-24, 5:52 pm |
| Hi all,
Question. We are building a new intranet for the company. Management wants
people to be required to login when they hit the website from either internal
or at home (intranet.company.com etc..)
For security reasons, the IIS box is a standalone system in the DMZ with no
reference to our internal network.
What do you all suggest we do to accomindate this request? What is
considered "best practice"?
We can either 1. use AD or 2. use a locally stored database of users which
is a pain to manage, but we could..
Hope this explains our situation, thanks in advance for any advise, or
suggestions.
Regards,
Paul
| |
| Leythos 2005-01-24, 5:52 pm |
| In article <B056E806-81F5-49AF-A240-487BE9ABF2D6@microsoft.com>,
PaulWhitmont@discussions.microsoft.com says...
> Hi all,
>
> Question. We are building a new intranet for the company. Management wants
> people to be required to login when they hit the website from either internal
> or at home (intranet.company.com etc..)
>
> For security reasons, the IIS box is a standalone system in the DMZ with no
> reference to our internal network.
>
> What do you all suggest we do to accomindate this request? What is
> considered "best practice"?
>
> We can either 1. use AD or 2. use a locally stored database of users which
> is a pain to manage, but we could..
There is not much reason to have the server in the DMZ if you are going
to allow access to the domain for authentication.
You should export the user list from the AD structure and import it into
a small table - give users a unique base password (unique to each user)
and have your web app, from an administrative interface, email the user
their user name and password using the information in the table with a
link to the logon site. When they logon give them a menu with a menu
option that lets them change their password and email address.....
Sure, it means they will eventually have two passwords, but their user
names are going to be the same, and they can manage it on their own.
You don't actually have to use a database, you could store the info in
an XML file since it would not have many columns.
> Hope this explains our situation, thanks in advance for any advise, or
> suggestions.
Yea, it's a PITA, but you don't want a public web server connecting to
the LAN.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
| |
| Jeff Cochran 2005-01-25, 8:47 pm |
| On Mon, 24 Jan 2005 10:29:02 -0800, "Paul -- Whitmont"
<PaulWhitmont@discussions.microsoft.com> wrote:
>Question. We are building a new intranet for the company. Management wants
>people to be required to login when they hit the website from either internal
>or at home (intranet.company.com etc..)
>
>For security reasons, the IIS box is a standalone system in the DMZ with no
>reference to our internal network.
Then it's awfully tough to access the domain accounts for logins isn't
it?
>What do you all suggest we do to accomindate this request? What is
>considered "best practice"?
>We can either 1. use AD or 2. use a locally stored database of users which
>is a pain to manage, but we could..
Take your pick. Either works. You have an increased management cost
to offset the increase in security risk, if any.
>Hope this explains our situation, thanks in advance for any advise, or
>suggestions.
If you host the intranet on a DMZ it's hard to get the full use of it
internally. And it's just as hard to deal with it as an external
system accessing internal resources. Best is to put the intranet
server internally and use domain security, then use VPN's for the
client connections trhough the firewall.
Jeff
| |
|
| "You don't actually have to use a database, you could store the info in an
XML file since it would not have many columns."
How do you do this? Sorry if the answer is very simple but I am new to
this. Any help is appreciated.
"Leythos" wrote:
> In article <B056E806-81F5-49AF-A240-487BE9ABF2D6@microsoft.com>,
> PaulWhitmont@discussions.microsoft.com says...
>
> There is not much reason to have the server in the DMZ if you are going
> to allow access to the domain for authentication.
>
> You should export the user list from the AD structure and import it into
> a small table - give users a unique base password (unique to each user)
> and have your web app, from an administrative interface, email the user
> their user name and password using the information in the table with a
> link to the logon site. When they logon give them a menu with a menu
> option that lets them change their password and email address.....
>
> Sure, it means they will eventually have two passwords, but their user
> names are going to be the same, and they can manage it on their own.
>
> You don't actually have to use a database, you could store the info in
> an XML file since it would not have many columns.
>
>
> Yea, it's a PITA, but you don't want a public web server connecting to
> the LAN.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
>
|
|
|
|
|