|
Home > Archive > IIS Server Security > February 2005 > automating user security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
automating user security
|
|
| Bill Taylor 2005-02-04, 7:51 am |
| Currently our user base is small and someone emails us to have acces to
restrictied documents in a folder, we create the user name and password
(using Windows built-in security) and then mail it back to them.
We now want users to be able to create their own names and passwords.
What is the best way to provide password protected folders (available only
for authenticated users) and at the same time allowing users to create their
own accounts and passwords.
I know I can do it all with asp but I wondered if there was a simpler way to
do it.
Any help would be greatly appreciated.
Thanks
Bill
| |
| Jeff Cochran 2005-02-04, 6:00 pm |
| On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill
Taylor@discussions.microsoft.com> wrote:
>Currently our user base is small and someone emails us to have acces to
>restrictied documents in a folder, we create the user name and password
>(using Windows built-in security) and then mail it back to them.
>
>We now want users to be able to create their own names and passwords.
Isn't that about as effective as just giving them access to everything
to begin with?
>What is the best way to provide password protected folders (available only
>for authenticated users) and at the same time allowing users to create their
>own accounts and passwords.
>
>I know I can do it all with asp but I wondered if there was a simpler way to
>do it.
Simpler like what? You could make them all administrators. You could
give them all a single login. But if you want to give users specific
access and control it, you can't really give them the ability to do it
themselves.
If you choose to, you may find an ASP script already written that you
just need to modify, try aspin.com or Google. And post in an ASP
group if you're stuck there.
Jeff
| |
| Bill Taylor 2005-02-04, 6:00 pm |
| Thanks for the somewhat un-helpful response.
To clarify:
I assumed we could let them create a name and password and then put them in
a group with limited access. I had no intention of giving them access to
everything.
Simpler like - not having to have an administrator enter the names and
passwords of 8,000 users but trying to automate the process without our
direct involvement.
Regarding a single login, gee what would we do change it every day when
someone leaves???
At last you said something useful and helpful - too bad it wasn't all you
said:
"If you want to give users specific access and control it, you can't really
give them the ability to do it themselves."
I don't understand why the sarcastic response at the begining - I guess with
you there are always stupid questions.
Bill
"Jeff Cochran" wrote:
> On Fri, 4 Feb 2005 04:13:02 -0800, "Bill Taylor" <Bill
> Taylor@discussions.microsoft.com> wrote:
>
>
> Isn't that about as effective as just giving them access to everything
> to begin with?
>
>
> Simpler like what? You could make them all administrators. You could
> give them all a single login. But if you want to give users specific
> access and control it, you can't really give them the ability to do it
> themselves.
>
> If you choose to, you may find an ASP script already written that you
> just need to modify, try aspin.com or Google. And post in an ASP
> group if you're stuck there.
>
> Jeff
>
| |
| Tom Kaminski [MVP] 2005-02-04, 6:00 pm |
| "Bill Taylor" <BillTaylor@discussions.microsoft.com> wrote in message
news:C5CC19C1-7528-4AE5-B902-60542AC0F19A@microsoft.com...
> Thanks for the somewhat un-helpful response.
>
> I don't understand why the sarcastic response at the begining - I guess
with
> you there are always stupid questions.
In defense of Jeff (because he often gives excellent advice) this just shows
the limitations of written communications. While I see how you could take
his comments as sarcastic, I did not read them that way. Knowing Jeff, I
just saw them as more "matter of factual" in tone.
| |
| Jeff Cochran 2005-02-04, 8:53 pm |
| On Fri, 4 Feb 2005 11:01:08 -0800, "Bill Taylor"
<BillTaylor@discussions.microsoft.com> wrote:
>Thanks for the somewhat un-helpful response.
Sorry you see it that way.
>To clarify:
>
>I assumed we could let them create a name and password and then put them in
>a group with limited access. I had no intention of giving them access to
>everything.
>
>Simpler like - not having to have an administrator enter the names and
>passwords of 8,000 users but trying to automate the process without our
>direct involvement.
You said your user base was small...
>Regarding a single login, gee what would we do change it every day when
>someone leaves???
I'm still unclear. If a user can create their own login, what
difference is it if they use a common one? Are you going to manage
8,000 accounts for deleting them but not creating them?
Or if you need this in 8,000 individual logins, assign the permissions
to a group and put all users in that group. Unless the 8,000 users
don't have any accounts at all to start with, and you simply want to
allow them to create a new account, but then we're back to having no
real security again.
>At last you said something useful and helpful - too bad it wasn't all you
>said:
>
>"If you want to give users specific access and control it, you can't really
>give them the ability to do it themselves."
>
>I don't understand why the sarcastic response at the begining - I guess with
>you there are always stupid questions.
Not always, usually just incorrect assumptions.
Okay, let's start again. You can do this, if you wish, in several
ways. It's not difficult, and not secure by any means. It also
depends on how many accounts you want to have.
One method would be to run an ASP (or ASP.NET) app under an
administrative account context, using ADSI to create and populate user
accounts. Another might be to create a text file based on a user's
input of name/password and run a scheduled command line to add the
user and set home directory, add permissions, etc. A third would be
to take this entirely out of the Windows authentication methods and
use your own database of users and access restrictions. See any forum
script in your choice of programming languages for examples of this.
It's still really unclear what you wish to do, but if all it's for is
restricting web site access I'd use method three. There's no real
restriction since a user can create an account at will, but at least
you can tie it to an email account by having them respond with an
emailed code or something. It doesn't get by them creating a free
throwaway account to get access, but you could restrict whatever free
email services you wish from signing up if need be fo slightly more
control.
Again, any forum or portal script which has a user login does this,
feel free to choose whichever you want to study. There are dozens,
even hundreds of free ones out there.
Jeff
[vbcol=seagreen]
>"Jeff Cochran" wrote:
>
| |
| Bill Taylor 2005-02-05, 5:49 pm |
| Thank you for the reply and let me start again to clarify.
Current situation is we have a subset of about 300 users accessing a
restricted folder on our web site. A user who wishes to access the site must
be a "member". They request access and we have an administrator login to the
site, create an account with a password, add them to a group (who has access
to the restricted area) and then email the user the login info. Even at this
level (300 users) the admin thinks it is too much work. In this scenario it
works well - we use windows security (which is more than flexible enough for
our needs) and with this level of users it doesn't take much time to manage.
Now the compnay will be opening up the restricted area to a larger subset of
our users (we estimate about 8,000). To the current admin this will be a
nightmare (I don't think so but then I don't have to do it). Chnages would
only be a few a day (I would guess).
What I am trying to do is retain the Windows security (which is easier for
me and ultimately easier for the web designer and content providers since
security will not be something they have to touch). What I would like to do
is keep the Windows security but at the same time control it through ASP
coding. I was under the impression one could at the command prompt create
users, passwords, add users to a group as well as delete users. So I am
trying to keep what works well but then make it dynamic in some way so the
user manages their own info.
So I guess my real question is can one dynamically create and manage windows
users with ASP code so that I can retain the original Windwos security and
not have to code what would be perhaps hundreds or maybe even a thousand
documents in a secure way.
I know I can do it programatically (with ASP at least) but I'm not sure if
it will be as secure and it may be a lot more work.
I hope this explains it a bit more.
Bill
"Jeff Cochran" wrote:
> On Fri, 4 Feb 2005 11:01:08 -0800, "Bill Taylor"
> <BillTaylor@discussions.microsoft.com> wrote:
>
>
> Sorry you see it that way.
>
>
> You said your user base was small...
>
>
> I'm still unclear. If a user can create their own login, what
> difference is it if they use a common one? Are you going to manage
> 8,000 accounts for deleting them but not creating them?
>
> Or if you need this in 8,000 individual logins, assign the permissions
> to a group and put all users in that group. Unless the 8,000 users
> don't have any accounts at all to start with, and you simply want to
> allow them to create a new account, but then we're back to having no
> real security again.
>
>
> Not always, usually just incorrect assumptions.
>
> Okay, let's start again. You can do this, if you wish, in several
> ways. It's not difficult, and not secure by any means. It also
> depends on how many accounts you want to have.
>
> One method would be to run an ASP (or ASP.NET) app under an
> administrative account context, using ADSI to create and populate user
> accounts. Another might be to create a text file based on a user's
> input of name/password and run a scheduled command line to add the
> user and set home directory, add permissions, etc. A third would be
> to take this entirely out of the Windows authentication methods and
> use your own database of users and access restrictions. See any forum
> script in your choice of programming languages for examples of this.
>
> It's still really unclear what you wish to do, but if all it's for is
> restricting web site access I'd use method three. There's no real
> restriction since a user can create an account at will, but at least
> you can tie it to an email account by having them respond with an
> emailed code or something. It doesn't get by them creating a free
> throwaway account to get access, but you could restrict whatever free
> email services you wish from signing up if need be fo slightly more
> control.
>
> Again, any forum or portal script which has a user login does this,
> feel free to choose whichever you want to study. There are dozens,
> even hundreds of free ones out there.
>
> Jeff
>
>
>
>
|
|
|
|
|