Managing security with LDAP

[JimmyL]

I intend to develop an intranet information system that uses LDAP to manage security. Thus when users request pages through their browser, if they do not have the sufficient security access, they will be denied the page.

My problem is that the system will be hosted on a server running Windows 2000 server and IIS 5. What is to stop users simply browsing directly to the server using Windows Explorer? Without additional NT security, they could then access even restricted information.

Is there any way to control security for people browsing directly to the server with windows explorer without duplicating my LDAP security rules in NT?

 

[michaelwebbatsun]

I am not too keen on IIS/Micro$oft, butI would:

unshare all drives of the server;
disable any type of anonymous/user logon;
disable any ftp or telnet services;
disable or restrict any webservers.

After installing the LDAP server, you should look at the anonymous LDAP search rights in the ACI, but after you have tested your configuration.

That should be a start. Good Luck.

Michael Webb
Sun Microsystems