« Previous Next »

• 10-29-2009, 6:53 PM

  mac12 Joined on 10-29-2009, 6:33 PM Posts 5

  Anonymous authentication "inherently insecure" ? Reply Contact I have a client who is insisting they won't allow anon access by policy.  We don't authenticate at the web server - rather we use an isapi connector to Tomcat which does the (forms based) user password auth.  Of course this means we use Anonymous access on IIS.  My claim is that there's nothing inherently insecure about using Anonymous auth in IIS give you follow best practices for limiting access/execute rights. Does my client have a legitimate concern, or do they "just not get it".  I guess they were hacked via the IIS Anon account in the past. I'd be grateful for any authoritative statements on the matter.

  Tags: anonymous authentication tomcat

• 10-29-2009, 9:32 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,805

  Re: Anonymous authentication "inherently insecure" ? Reply Contact  Think of this logically most sites allow anonymous access. Google.com, etc They all allow anonymous access.  " I guess they were hacked via the IIS Anon account in the past." I cannot understand that   "My claim is that there's nothing inherently insecure about using Anonymous auth in IIS give you follow best practices for limiting access/execute rights."  That is correct. Are you using best practices?   http://www.iisportal.com

• 10-29-2009, 11:08 PM

  In reply to

  mac12 Joined on 10-29-2009, 6:33 PM Posts 5

  Re: Anonymous authentication "inherently insecure" ? Reply Contact   Rovastar:  That is correct. Are you using best practices?    Yes, based on recommendations here:  http://technet.microsoft.com/en-us/library/cc782762%28WS.10%29.aspx  And in fact we're even planning to add IP restrictions: http://technet.microsoft.com/en-us/library/cc787192%28WS.10%29.aspx So I it feels pretty tight to me.  I appreciate the confirmation!

• 10-30-2009, 2:51 AM

  In reply to

  lextm Joined on 10-22-2008, 4:18 AM Shanghai, PRC Posts 1,430

  Re: Anonymous authentication "inherently insecure" ? Reply Contact I hope you have a firewall behind the IIS server and use it to filter out uninvited IP addresses instead of IIS IP restrictions. Generally speaking a dedicated firewall performs such tasks better and allows IIS to focus on other activities. Lex Li Support Engineer at Microsoft --------------------------- This posting is provided "AS IS" with no warranties, and confers no rights.

• 10-30-2009, 10:21 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,254	Re: Anonymous authentication "inherently insecure" ? Reply Contact +1 to what Rovastar said. Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 10-30-2009, 11:21 AM

  In reply to

  mac12 Joined on 10-29-2009, 6:33 PM Posts 5

  Re: Anonymous authentication "inherently insecure" ? Reply Contact lextm: I hope you have a firewall behind the IIS server and use it to filter out uninvited IP addresses instead of IIS IP restrictions. Generally speaking a dedicated firewall performs such tasks better and allows IIS to focus on other activities.   Good point. My plan is a DMZ with the front firewall passing traffic on 443 and the rear firewall only passing 8009 traffic (connector default port). The IIS IP restriction was an added in case there's a client on the same tier as the WS (which wouldn't be my choice, but have to work with the customer's network architecture..) The client is a hardware device that doesn't support native IIS authentication types (basic, digest, WIA, etc.). I think I'll recommend enforcing clients in the client tier only, and firewall based IP address restrictions, and see if they can accomodate that. I think their consultants are a bit out of their depth and trying to appear savvy by imposing lots of poorly thought out security prohibitions. Thanks for the advice!

• 10-30-2009, 1:51 PM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,254

  Re: Anonymous authentication "inherently insecure" ? Reply Contact mac12: The client is a hardware device that doesn't support native IIS authentication types (basic, digest, WIA, etc.). Fair enough. mac12: I think their consultants are a bit out of their depth and trying to appear savvy by imposing lots of poorly thought out security prohibitions. Uh huh.  Hmmm, they don't want to allow anonymous access, yet there's a technical limitation that doesn't allow for anything but anonymous access ... Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 10-30-2009, 6:43 PM

  In reply to

  mac12 Joined on 10-29-2009, 6:33 PM Posts 5

  Re: Anonymous authentication "inherently insecure" ? Reply Contact   tomkmvp: Hmmm, they don't want to allow anonymous access, yet there's a technical limitation that doesn't allow for anything but anonymous access ...  Right - so their solution is for us to have the device re-engineered to authenticate to IIS. Very expensive for us, and (it would appear) worse than pointless.  I'm thinking it would even be slightly worse security - since we'd have to create a network account / password for the device, and all the hassles (pw management) and vulnerabilities (pw guessing) that go with it.

• 11-02-2009, 10:01 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,254	Re: Anonymous authentication "inherently insecure" ? Reply Contact You are on track. Does the device support SSL?  That would be a good idea. Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 11-11-2009, 6:45 PM

  In reply to

  mac12 Joined on 10-29-2009, 6:33 PM Posts 5	Re: Anonymous authentication "inherently insecure" ? Reply Contact  Yes - it does SSL, which protects the login credentials in transit.