IIS Server Security, Please help, directory level protection needed.

I am trying to implement a secure software update directory. My
application checks for and retrieves updates via http from a directory on
our web server. All this works fine, but there is no security. I want to
protect the directory so that any http request will require basic
authentication.

I have done this before at another company that used an Apache server, and
all that was required was creating a .htaccess file that authenticated
users in a SQL database.

The new company uses IIS, and our webmaster does not know how to accomplish
this functionality. He does have ASP protected pages, but they are
protected via a query in the ASP code. In my case I want to protect all
files in the directory, which are mostly binary files. We already have a
database that has all of the registered users in it, so all I really need
is some way to tell IIS to use the database. Our "webmaster" has already
indicated that creating Windows user accounts for all the users is not an
option...

I am hoping that someone can point me to some documentation that I can give
to our "webmaster".

To me this doesn't sound like it should be that difficult?

ctually, neither Apache nor IIS natively implement the feature you are
talking about.

Apache uses addon modules to implement the functionality and the
configuration is in .htaccess. The author of those modules happen to just
give away the source code for free, so it frequently comes bundled with
Apache.

Many 3rd party vendors have also implemented addon modules for IIS to
implement the functionality with various configuration choices. Their
modules need to be purchased.

I have not found a freely available module to do this on IIS. On IIS6, we
have sample code illustrating other concepts that do about 90% of the work,
but no one has released a free add on module to lookup username/password
securely from a database/file. Even after I posted sample code modification
showing how to lookup username/password from a file with exact lines of code
to change/insert.


FYI: the protection mechanism you are asking for is not terribly secure.
Namely, there is no real user-identity in the underlying OS; you rely on the
Web Server to implement a check to control access. If anyone else happens to
compromise the Web Server, they instantly have access to the resources you
are trying to protect

Meanwhile, using real user identities in the filesystem (something IIS
natively supports), you rely on someone actually authenticating correctly to
control access. If anyone else happens to compromise the Web Server, they do
not have access to this protected content since they did not compromise the
real user identity -- only the web server's identity. On a server like IIS6
where the web server's identity is unprivileged, the server remains secured
even if a worker process gets compromised.

This is the fundamental difference between the two approaches.


Regarding your problem statement:

Basic authentication passes username/password over the network in clear
text, so it is not secure and is counter to your desire to "protect" the
directory.

Furthermore, I do not understand why you need authentication for a "secure
software update directory". I presume users will be downloading their
patches from this "secure software update directory". Why do users even need
to authenticate? You want them to be able to download patches, right? Or is
your program unsecured, so access to this "secure software update directory"
is equivalent to free download to your (possibly licensed) software program,
so you need to control who can access this directory.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Fred Hebert" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
I am trying to implement a secure software update directory. My
application checks for and retrieves updates via http from a directory on
our web server. All this works fine, but there is no security. I want to
protect the directory so that any http request will require basic
authentication.

I have done this before at another company that used an Apache server, and
all that was required was creating a .htaccess file that authenticated
users in a SQL database.

The new company uses IIS, and our webmaster does not know how to accomplish
this functionality. He does have ASP protected pages, but they are
protected via a query in the ASP code. In my case I want to protect all
files in the directory, which are mostly binary files. We already have a

Here is how we do it:
http://www.flicks.com/shop.htm #authnx




I am trying to implement a secure software update directory. My
application checks for and retrieves updates via http from a directory on
our web server. All this works fine, but there is no security. I want to
protect the directory so that any http request will require basic
authentication.

I have done this before at another company that used an Apache server, and
all that was required was creating a .htaccess file that authenticated
users in a SQL database.

The new company uses IIS, and our webmaster does not know how to accomplish
this functionality. He does have ASP protected pages, but they are
protected via a query in the ASP code. In my case I want to protect all
files in the directory, which are mostly binary files. We already have a
database that has all of the registered users in it, so all I really need
is some way to tell IIS to use the database. Our "webmaster" has already
indicated that creating Windows user accounts for all the users is not an
option...

I am hoping that someone can point me to some documentation that I can give
to our "webmaster".

To me this doesn't sound like it should be that difficult?

On Thu, 05 May 2005 12:21:08 -0700, Fred Hebert < XXXX@XXXXX.COM >



It's not. It's just that it's not how IIS or Windows funtions. Using
Windows authentication and Windows accounts this is a snap, but using
your own database means you roll your own security. And it also means
you likely won't be very secure.

There are a number of commercial components that do this, check
Google.

Jeff

Another solution could be IISPassword
( http://www.troxo.com/products/iispassword/ ) works like .htaccess in
apache with config file and everything.

We are just starting to use it on our servers as it saves having to add
useraccounts and seems to work fine.

David Wang [Msft]" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :


The bottom line is that Apache/php easily does what I want for free.


The bottom line it's going to cost me.


So you think we should add 40,000+ non-employee user accounts? How much
would that licensing cost us? And of course letting sales people and the
web server manage these accounts is "secure", or do I need to hire an
additional administrator?


We have this new thing called SSL...


Actually the app checks for updates and downloads them via ssl. The
customer does not have direct access to the updates.

Most companies, already have a customer database and it is relatively
easy to query that database to determine if a user is valid and grant
access to the files they need. The web server is doing the query through
a very restricted account and the "customer id" has no access to any of
our systems.

The mechanism is very secure. I have implemented it at other locations
with great success and NO security issues. Fortunately none of these
customers used IIS, so it only took about 10 minutes to set up.

Anyhow the short, and correct answer to my question is:

IIS can't do it, I need to BUY a 3rd party tool or roll my own.

Tip: answer the question asked, don't comment on things you are not
familiar with, feel free to offer tips, alternate solutions, point out
potential problems, or ask for clarification but don't assume...

No need to answer the above questions, I am just going to write my own
ISAPI download manager. I was just looking for a quicker and easier way.
The last time I had to deal with IIS was 6 years ago, and I see nothing
has changed...

Thanks for the info, but I was hoping not have to buy anything.

"Joe Iano" < XXXX@XXXXX.COM > wrote in

@g14g2000cwa.googlegroups.com:


Thanks, that looks pretty interesting and it is cheaper than another
solution I had looked at.

gt; Tip: answer the question asked, don't comment on things you

Tip: Most newsgroup "questions" have insufficient/incorrect/improper detail
and the author frequently asks for some solution when it is unclear that it
even solves the supposed problem (which is also frequently unstated). Your
question included since you finally gave more necessary details the second
time around.

Given that I do this on my own free time to answer questions that people get
paid for and in general answer a hostile crowd, I have two choices:
1. Just answer the question, being aware that I may need to keep answering
questions as the author figures out (or doesn't figure out) what to do
2. Probe and find the actual problem, and give the solution to that

You just want answers fast, so you propose that I do #1, while I get to
choose #2 because I want to answer *real* questions and not waste time with
incomplete questions. Both approaches have its merits.

Every once in a while, someone who is clueful about what they are doing get
offended by my line of questioning, but I'm willing to risk it and explain
myself later since that's the 1% case.

You basically want a many-to-one mapping of user accounts (that's what
Apache does by default), while IIS defaults to one-to-one mapping of user
accounts -- the fundamental difference between the two web servers when it
comes to authentication -- hence if you want many-to-one mapping, you have
to buy or write your own (absent someone donating a version to the
community).

Why don't you just ask the right question? You see the answer can be much
more concise. I cannot read your mind; I can only read what you have written
and try to infer as much as I can.



If you happen to have ISAPI questions, they should be posted to
microsoft.public.platformsdk.internet.server.isapi-dev. And be prepared to
precisely explain what you are trying to do and where you have problems.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Fred Hebert" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
"David Wang [Msft]" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :


The bottom line is that Apache/php easily does what I want for free.


The bottom line it's going to cost me.


So you think we should add 40,000+ non-employee user accounts? How much
would that licensing cost us? And of course letting sales people and the
web server manage these accounts is "secure", or do I need to hire an
additional administrator?


We have this new thing called SSL...


Actually the app checks for updates and downloads them via ssl. The
customer does not have direct access to the updates.

Most companies, already have a customer database and it is relatively
easy to query that database to determine if a user is valid and grant
access to the files they need. The web server is doing the query through
a very restricted account and the "customer id" has no access to any of
our systems.

The mechanism is very secure. I have implemented it at other locations
with great success and NO security issues. Fortunately none of these
customers used IIS, so it only took about 10 minutes to set up.

Anyhow the short, and correct answer to my question is:

IIS can't do it, I need to BUY a 3rd party tool or roll my own.

On Mon, 09 May 2005 12:30:17 -0700, Fred Hebert < XXXX@XXXXX.COM >





It'll still cost you. Just in development time. Though the logical
suggestion is to use Apache/PHP since it meets your needs, the needs
of your organization may differ from your personal needs so you may be
stuck.

When you've written your ISAPI download manager, why not distribute it
under the GNU license? For free of course...

Jeff

ere is a free ISAPI access control filter we used for a number of years on
a win2k server with no issues. I haven't tried it on win2003. You might want
to take a look. I believe the source code is also available. Joe
http://www.reneris.com/tools/default.asp

"Fred Hebert" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
"David Wang [Msft]" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :


The bottom line is that Apache/php easily does what I want for free.


The bottom line it's going to cost me.


So you think we should add 40,000+ non-employee user accounts? How much
would that licensing cost us? And of course letting sales people and the
web server manage these accounts is "secure", or do I need to hire an
additional administrator?


We have this new thing called SSL...


Actually the app checks for updates and downloads them via ssl. The
customer does not have direct access to the updates.

Most companies, already have a customer database and it is relatively
easy to query that database to determine if a user is valid and grant
access to the files they need. The web server is doing the query through
a very restricted account and the "customer id" has no access to any of
our systems.

The mechanism is very secure. I have implemented it at other locations
with great success and NO security issues. Fortunately none of these
customers used IIS, so it only took about 10 minutes to set up.

Anyhow the short, and correct answer to my question is:

IIS can't do it, I need to BUY a 3rd party tool or roll my own.

Tip: answer the question asked, don't comment on things you are not
familiar with, feel free to offer tips, alternate solutions, point out
potential problems, or ask for clarification but don't assume...

No need to answer the above questions, I am just going to write my own
ISAPI download manager. I was just looking for a quicker and easier way.
The last time I had to deal with IIS was 6 years ago, and I see nothing
has changed...

@msnews.microsoft.com:



Yesterday I ran across an example of a download manager using ASP
scripting. It would have probably worked, but I had already finished the
DLL. Not being an ASP programmer, without an example, it was easier for
me to write an ISAPI DLL in C++.

As far as switching web servers, well, it may come to that, but for now
the download manager will suffice. With any luck I should have the "live
updates" on line by Friday, Monday at the latest.

Actually I have and frequently do release free, not even GPL, source,
components and utilities. An ISAPI download manager is relatively
trivial and there are many free examples already. I didn't do anything
new or revolutionary, and my code is rather specific to my needs, so I
probably won't bother posting it...

I believe in open source particularly at the lower levels among
developers. As I said I often share small pieces of work that I think
might be helpful to others and I am thankful that others have done the
same which has benefited me.

Fred.

First let me say we obviously don't see eye-to-eye on this.

Yes I left out some details that I felt, and still feel, were not
relevant.

Going back to my original post, I thought my statement about what I was
trying to accomplish, how I had accomplished it in the past, and why I
couldn't use that solution now, was fairly clear. It is a real question
about a real problem.

I feel you are still missing the point.

As far as your "Apache one-to-many" comments, I reiterate, don't comment
on things you don't understand. My original training was with AT&T as a
Unix system programmer. I have been developing software for 28 years,
and have actually contributed code to the Apache project... and no I
don't want a one-to-many anything.

I never asked how to write an ISAPI DLL...

Please feel free to go back to my original post, and the replies of
others, it may help clarify things.

I should not have replied to your initial message and probably shouldn't
be writing this, but it sets me off when I see someone sounding
authoritative, with incorrect information and obviously product biased.
I don't want to debate which is better Apache or IIS, because it is not
relevant to the problem. My only reason for mentioning Apache in the
first place was so that someone familiar with .htaccess files might
better understand what I was trying to do. And even though I had to
write a dll to accomplish the task, I am still not trying to compare the
two. They are just different.

Since we just don't agree, and the problem has been solved, I intend to
just let this die. I apologize for wasting your time.

Fred.