RE: Prevent security bypass

["Logan F.D. Greenlee" <lgreenlee () ciretose net>]

Chris,
        An easy way to accomplish this would be to add NTLM
authentication to your existing login form. First, create a single
directory in which your protected files reside. Turn off Anonymous
access to the directory and it's children. Add a low privilege user to
the machine that has as few rights as possible. On the file system add
this user with read only access to the directory. All files and
directories below the protected HTML root should inherit permissions
from it's parent. Finally, modify your asp login form to add NTLM
authentication to the login process. Authenticate each user as the low
privileged NT user created earlier, in addition to your standard
form/session user authentication. Obviously NT authentication should
only take place if the user has a valid form based login. This should
meet your needs for protecting your HTML files and ensuring that your
web app users are not gaining undue rights on your web server(s).

-Logan




-----Original Message-----
From: Chris Neil [mailto:Chris.Neil () abs-ltd com]
Sent: Tuesday, February 04, 2003 12:00 PM
To: 'webappsec () securityfocus com'
Subject: Prevent security bypass


I am new to this mailing list and so hope this conforms to the
guidelines as
I read them.

How do people address the issue of non-authenticated users requesting
html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the user is logged in,
but
with html pages we cannot.
My only idea so far is to convert all our html pages to asp. Is there
anything less drastic?


Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS 
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------