Security Basics mailing list archives
RE: Microsoft Active Directory security concerns
From: "Jason Dinsdale" <jasondinsdale () gmail com>
Date: Thu, 20 Jul 2006 22:58:19 +1000
Nic, Your problem is an interesting one, and I'm not sure that you can resolve it with just vanilla MS tools (IIS, AD, ADAM) at your disposal. The SSO product that I specialise in addresses this by: A) deploying Policy Enforcement Points (PEPs) at appropriate locations e.g. IIS (as an ISAPI filter) or Apache (as a loadable module). The PEPs intercept any resource (web page) access requests and pass on those requests to the Policy Decision Points (PDPs). B) Deploying PDP servers that integrate with all necessary directories (SunOne, AD, ADAM etc) and allow the PDPs to create a consolidated view of user identities across all directories, against which they evaluate & apply access & authentication policy. C) Having the PDPs return policy access & authentication decisions (allow, deny, authenticate etc) to the PEPs, which then implement that decision. Another approach might be to use a meta directory product which simply provides the consolidated view of both AD & ADAM directories and authenticate against that, however I don't think that this will work with IIS (Integrated Windows?) authentication since it depends on AD. Hope this helps somewhat. Jason -----Original Message----- From: NicS [mailto:nic.scheepers () logicaloptions com] Sent: Friday, 7 July 2006 2:44 AM To: security-basics () securityfocus com Subject: RE: Microsoft Active Directory security concerns Hi Jason, I am very delighted by your message because I was doing research on this subject for the past few months. I came to the conclusion that I have to use AD for the internal users and ADAM for the external users, but now the implementation seems a bit tricky. I need IIS to authenticate the users, how will IIS know when to look in AD and when to look in ADAM? Does this have anything to do with proxy redirection from ADAM to AD or do you have to synchronise all users to ADAM and then somehow make IIS look solely at ADAM for authenticating both the internal and external users? Does this solution mean development of software where the software first tries AD and if it is failing then go to ADAM for the authentication? Does anyone have some direction where I can read more about this? I cannot find resources dealing directly with this issues. Regards Nic -- View this message in context: http://www.nabble.com/Microsoft-Active-Directory-security-concerns-tf1781619 .html#a5203344 Sent from the Security Basics forum at Nabble.com. --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Microsoft Active Directory security concerns NicS (Jul 06)
- RE: Microsoft Active Directory security concerns Jason Dinsdale (Jul 21)
- <Possible follow-ups>
- Re: Microsoft Active Directory security concerns s . p . ariyapperuma (Jul 07)