WebApp Sec mailing list archives

RE: Prevent security bypass

From: "TUER, DON" <don.tuer () cgi com>
Date: Thu, 6 Feb 2003 09:49:00 -0500

Number one recommendation is to upgrade to ASP.NET. It has build in form
authentication and can secure pages at any level. 

-----Original Message-----
From: Mark Mcdonald [mailto:m.mcdonald () cgl com au] 
Sent: February 4, 2003 7:08 PM
To: 'Chris Neil'
Cc: 'webappsec () securityfocus com'
Subject: RE: Prevent security bypass

Here's one method of securing through IIS:

* Open up Internet Service Manager
* Find the directory or file(s) you wish to secure (they can been
anything
from txt to pdf to html to whatever) in the tree on the left-hand side
(if a
directory - right-hand side for individual file lock-down)
* Right-click the directory / file and select Properties
* If securing a file, select the File Security tab, if securing a
directory,
select the Directory Security tab
* Select the Edit button in the top third of the property sheet
* Modify the security here
        I suggest turning off Anonymous access if you want to secure the
documents, and turning on Challenge/Response (NTLM) authentication if
you're
users are all logged in on the network, or using Basic authentication if
you
wish for a username/password dialog to prompt them.  Make sure all the
accounts you wish to access it have accounts in the specified domain.

HTH!
Mark.

        Mark McDonald | CGL
                it | web developer

-----Original Message-----
From: Chris Neil [mailto:Chris.Neil () abs-ltd com]
Sent: Wednesday, February 05, 2003 1:00 AM
To: 'webappsec () securityfocus com'
Subject: Prevent security bypass

I am new to this mailing list and so hope this conforms to the
guidelines as
I read them.

How do people address the issue of non-authenticated users requesting
html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the user is logged in,
but
with html pages we cannot.
My only idea so far is to convert all our html pages to asp. Is there
anything less drastic?

Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS 
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------

******************************* DISCLAIMER
****************************** 
This e-mail and any attachments to it are confidential. 
If you receive them in error, please tell us immediately and delete
them. 
You must not retain, distribute, disclose or otherwise use any
information
contained in them. 

Before opening or using any attachments with this e-mail you should
check
them for viruses and other defects. The sender does not warrant that
they 
will be free from computer viruses or other defects.
************************************************************************
*

Current thread:

HTTP Header and POST Data Exploitation, (continued)
- - - HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
    - RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
  - RE: Prevent security bypass Vinny Bedus (Feb 05)
    - Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
  - Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
  - RE: Prevent security bypass TUER, DON (Feb 06)
    - Re: Prevent security bypass Alex Russell (Feb 06)
    - Re: Prevent security bypass Adrian Wiesmann (Feb 06)
    - Re: Prevent security bypass Chris Travers (Feb 07)
- RE: Prevent security bypass David Mowers (Feb 07)
- Re: Prevent security bypass Scott Mulcahy (Feb 12)