Hello All:
One of my controls in my ASP.NET application requires that IIS Anonymous
Access to be turned off. It also needs to have the following tag in
web.config:
<identity impersonate="true"/>
My question is does the above configuration pose a security risk that I
should be aware of, and if so how can I mitigate it.
Thx in advance,
kr
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it! 4 1081
Whoa..red flag, your control HAS to have Anonymous Access..? That sounds odd...very odd.. and rather ridiculous. As far as asp.net is concerned, it doesn't really care what authentication method was used by IIS, just that it worked.
Some will argue that you should never use <identity impersonate="true" />, rather impersonate from code found in the following link. http://support.microsoft.com/default...b;en-us;306158
It makes sense, most of the execution operations of your application don't need to run with impersonation, so there is no need to have the execution always impersonating. I think it confounds your code though, so I usually just use <identity impersonate="true" />, much easer to code. Up to you of course.
--Michael
"Kevin R." <ka****@riverone.com> wrote in message news:uW*************@TK2MSFTNGP10.phx.gbl... Hello All: One of my controls in my ASP.NET application requires that IIS Anonymous Access to be turned off. It also needs to have the following tag in web.config: <identity impersonate="true"/> My question is does the above configuration pose a security risk that I should be aware of, and if so how can I mitigate it. Thx in advance, kr *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it!
Michael,
Thanks for your reply. Yes, indeed I use the suggested code to isolate
impersonation to the page loading the control that requires
impersonation (I used the web.config example for clarity here). But, I
still do no fully understand the implications of having IIS anonymous
authentication turned off (disabled anonymous access in IIS). What is
the "red flag" you are referring to!
Can anyone explain it here or refer me to a good source.
Much appreciated,
kr
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Michael,
Thanks for your reply. Yes, indeed I use the suggested code to isolate
impersonation to the page loading the control that requires
impersonation (I used the web.config example for clarity here). But, I
still do no fully understand the implications of having IIS anonymous
authentication turned off (disabled anonymous access in IIS). What is
the "red flag" you are referring to!
Can anyone explain it here or refer me to a good source.
Much appreciated,
kr
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Sorry, I misread your original post, I thought you needed anonymous authentication turned on. If it is off, and you aren't impersonating, except through code, you should be very secure.
"Kevin R." <ka****@riverone.com> wrote in message news:uu**************@TK2MSFTNGP11.phx.gbl... Michael, Thanks for your reply. Yes, indeed I use the suggested code to isolate impersonation to the page loading the control that requires impersonation (I used the web.config example for clarity here). But, I still do no fully understand the implications of having IIS anonymous authentication turned off (disabled anonymous access in IIS). What is the "red flag" you are referring to! Can anyone explain it here or refer me to a good source. Much appreciated, kr *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Glen Scott |
last post by:
Hi, I'm writing an ASP app that administers an ISA server remotely.
The fact that it's an ISA server isn't my problem I believe.
My question? What is the security difference between disabling
anonymous access and using account X from the web client, versus
allowing anonymous access but using account X as the account that runs
the...
|
by: Matt F |
last post by:
Hi all
I was hoping some one could clear up an ASP.Net security question I
have.
I am writing an ASP.NET application that connects to SQL Server. The
security setup (connection string and IIS) will vary depending on the
client who installs it. Some clients will undoubtedly wish to have IIS
and SQL Server on separate machines, with...
|
by: pv |
last post by:
Hi everyone,
I need help with following scenario, please:
Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public users). If
user is from intranet, web server should recognize it and application should
create additional options in controls regarding groups the user...
|
by: et |
last post by:
I have an asp.net program that uses a connection string, using integrated
security to connect to a sql database. It runs fine on one server, but the
other server gives me the error that
"Login failed for user "NT AUTHORITY/ANONYMOUS LOGON". Why would this be?
There is no reason it should even be trying to login to using NT...
|
by: Sorcerdon |
last post by:
Hello experts,
Im looking for a true expert to solve this.
I have a web application which displays a simple select from a table.
I have set impersination to true in the web config
I have Integrated Security = SSPI in my connection string
I have set authentication mode= windows
I have set my IIS to use Windows Authentication
| |
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
| |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |