Re: w2k AD security question

From: Roland Hall (nobody_at_nowhere)
Date: 02/23/04

• Next message: nut cracker: "Re: DNS public ip address change"
• Previous message: Cardal: "Re: DNS public ip address change"
• In reply to: yannacci: "Re: w2k AD security question"
• Next in thread: yannacci: "Re: w2k AD security question"
• Reply: yannacci: "Re: w2k AD security question"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 23 Feb 2004 17:35:49 -0600

"yannacci" wrote:
: Thank you for your response. So it really isn't a security issue as
: all then. If I am correct, all the AD is doing is giving a "yes or no"
: answer to the login information that is provided by the script instead
: of requesting authentication to access resources etc. Would you agree?
: Thanks.

Without seeing the code, one would have to assume that is what is happening.
He might be grabbing the information from AD and then testing what the user
inputs himself. If so, he needs to write code to lock the account after so
many attempts, depending on your policy but the proper way to do it is to
just pass it to AD and let it handle it itself. In other words, take the
user's response and try to logon, capture the response and either allow the
user in if successful or deny and request an additional attempt. Once AD
responds that the account is locked out, he should then notify the user.

The easiest way is to just remove the anonymous user's logon and use only
authenticated logons. This way the developer is out of the loop altogether.
If the user can get to his app, then they have been authenticated. If not,
then they haven't and there is nothing for him to do either way.

-- 
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

---

• Next message: nut cracker: "Re: DNS public ip address change"
• Previous message: Cardal: "Re: DNS public ip address change"
• In reply to: yannacci: "Re: w2k AD security question"
• Next in thread: yannacci: "Re: w2k AD security question"
• Reply: yannacci: "Re: w2k AD security question"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Authentication condition in custom httphandler ... authentication, the 401 should land you back at the logon page. ... >I haven't used the UrlAuthorizationModule before but as I understand it, ... >> they just set the response status to 401 and call CompleteRequest. ... (microsoft.public.dotnet.framework.aspnet.security) Re: w2k AD security question ... Thank you for your response. ... of requesting authentication to access resources etc. ... > The easiest way is to just remove the anonymous user's logon and use ... (microsoft.public.win2000.networking) Re: IIS 5.0 Windows Authenticion/NT Challenge Response ... The first response looks like it was for a request made to a vdir that has ... anonymous authentication enabled on IIS. ... you could have anonymous authentication enabled. ... (microsoft.public.inetserver.iis.security) Re: Linux dialup to Netscape.net? ... > segment of the ppp log between the 'Serial connection established.' ... Starting pppd and hoping for the best. ... --> The PPP daemon has died: Authentication error. ... reference to the "aolnet" response somewhere through Google, ... (comp.os.linux.misc) Re: Using trusted database connection across domains ... You asked for my comments on your response to my question. ... You go on to say that I have a double-hop in my authentication. ... however the web server is in a workgroup which is not ... Microsoft Online Community Support ... (microsoft.public.sqlserver.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)