Weird, folks maybe you can tackle this one for me. I have set-up a secured directory with IIS 5 to allow for a user name and password window to pop-up and request access, before you can enter. Thought it was working good, kept out the bad users, and allowed the ones I selected with the Active Directory users and computers administration. Messing around today, found out when you are at the login pop-up, if you just leave it blank and hit ok or enter, without entering a unsername password or domain, it lets you in! major security breach, whats the deal? Is this something simple or am I doing everything wrong and nothing right?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Directory Security Breach! (Login/password/domain) 1
- Thread starter Teabone
- Start date
Do you mean you used the directories security tab on the properties page within IIS? If so, that's not how you restrict access. Use Windows Explorer to view the properties of the directory, then go to the security tab. Set your security there, not in IIS (make sure you remove the Internet Guest account).
emmm... I think you are right. But be aware of the fact that IIS security is the first line of defence, since if your server is running on a FAT system (where the files are located), there is not that much you can when comes to the File Security. Correct me if I am wrong. It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!![[pipe]](/data/assets/smilies/pipe.gif "[pipe] [pipe]")
jliu@Cipk.com
OK, Let's Do It !!!
jliu@Cipk.com
- Thread starter
- #4
IIS directory security is configured correctly (I think), I've had this in place before with windows 2000, now on advanced server, never heard of this before. the specific directory is configured to allow only certain users in with access. heres another kicker. If I pull access for everyone, I mean administrator group, system, everything, it still lets me in with out a name or password! via internet browser to the directory, just by clicking ok or hiting enter.
Which authentication method do you use ? Windows NT Challenge/Response or Basic Authentication? I use Windows NT Challenge/Response in my W2k Server (behind firewall), it works fine. You may want to double check the set up in both IIS and file. If set up correctly, you should be denied from accessing the web if without proper authentication. A message page like this will return:
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials you supplied.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button to try again with different credentials.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the home page.
HTTP 401.3 - Access denied by ACL on resource
Internet Information Services
--------------------------------------------------------------------------------
It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!
jliu@Cipk.com
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials you supplied.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button to try again with different credentials.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the home page.
HTTP 401.3 - Access denied by ACL on resource
Internet Information Services
--------------------------------------------------------------------------------
It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!
jliu@Cipk.com
- Thread starter
- #6
It gets even weirder. I am the obly one who can by pass the login. I've been having others try via the internet, and they can't get in, unless they supply a proper login name and password. Just me when I'm on my local machine, does it allow for me to just enter with ut proper username and password, This ring any bells with anyone?
In that case, it is okay, since your computer "remembered" your credentials. I assume that you will be asked to logon, if you reboot your machine. It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!
jliu@Cipk.com
OK, Let's Do It !!!
jliu@Cipk.com
- Thread starter
- #8
It must be allowing my develpoment machine assess regardless, I reboot, and still the samething, NO NEED TO INPUT ANYTHING. As long as I'm local on this machine, do I need to worry about this anymore? folks on the net can't seem to get in without proper login? I guess I should be ok, unless any of you have reason to think otherwise?
PS - Thanks for the expert responce times and information, this is a great medium!
PS - Thanks for the expert responce times and information, this is a great medium!
Okay, here was what happened (maybe I am wrong). Did you selected "remember the password" at the first time you logged on ? It only happens (skipping the anthentication) when you make this selection. You may go to other machines to test it.
It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!
jliu@Cipk.com
It's not about whether you can do it or not, it's about HOW
OK, Let's Do It !!!
jliu@Cipk.com
- Thread starter
- #10
-
1
- #11
-My Guess-
This is because of ur machine. I don't think it has anything to do with remembering passwords (I could be wrong). I'm guessing the reason why it's not asking u for ur login is because it already has it. Meaning you took ur time to login win2k rite?.. it won't bother asking u again. For example: I dunno if you're familiar with SQL 2k server but it never bothers to ask you for a login/pass (not installed as mixed mode) once u're in.. it just checks it's db and if it doesn't see ur name then u don't have access.. if it does then it'll let u do what ur privleges allow u to do.
Try taking off basic authentication and try going home to login and see if IIS behaves differently.
Good luck.
T![[afro2]](/data/assets/smilies/afro2.gif "[afro2] [afro2]")
This is because of ur machine. I don't think it has anything to do with remembering passwords (I could be wrong). I'm guessing the reason why it's not asking u for ur login is because it already has it. Meaning you took ur time to login win2k rite?.. it won't bother asking u again. For example: I dunno if you're familiar with SQL 2k server but it never bothers to ask you for a login/pass (not installed as mixed mode) once u're in.. it just checks it's db and if it doesn't see ur name then u don't have access.. if it does then it'll let u do what ur privleges allow u to do.
Try taking off basic authentication and try going home to login and see if IIS behaves differently.
Good luck.
T
- Status
Similar threads
- Locked
- Question
