Intranet

Hi

The description of your solution does not contain enough details to provide the exact security design of your application. I am going to give you the short overview, but please even if this completely helps you, BE SURE THAT YOU REALY UNDERSTAND WHAT YOU DO

• Assuming that your intranet application I written in ASP.Net or it is ASP Web Service, set the directory security IIS manager on windows authentication. Be sure that anonymous is not checked. This forces the IIS to retrieve an access denied on the first client’s request. The client must be able to authenticate by using NTLM. By using of NTFS you can set wanted permissions

• Then in the web.config of your application set following tags

<authenticati on mode="Windows" /><identity impersonate="tr ue"/

• If your client is IE browser you do not have to do anything else to be sure that nobody out of specified windows group can access the site

• But, this is often not enough. Additionally you can provide much more granularity by using of CAS if required. The CAS allows you to define the role base security (not only). For example if your solution provides some Web Service you can protect your methods as shown bellow

[ WebMethod(Descr iption="Retriev es the appointment data", EnableSession=f alse)
[PrincipalPermis sionAttribute(S ecurityAction.D emand,
Role = "SomeRole")
public void GetServiceAppoi ntment(string ServiceId

â€
Additionally you have to provide a mechanism, which maps the windows user (Windows Identity established by impersonation (see above)) to the specific role
This can be done in Global.Cs in the method Application_Acq uireRequestStat e

String[] roles = somefunctionof( Thread.CurrentP rincipal.Identi ty.Name
GenericIdentity MyIdentity = new GenericIdentity (Thread.Current Principal.Ident ity.Name)
GenericPrincipa l MyPrincipal = new GenericPrincipa l(MyIdentity, roles)
Thread.CurrentP rincipal = MyPrincipal;

• If you do not use the browser at the client side there are generally two ways to provide credentials
If you can force the user to eneter the user name and password do following
System.Net.ICre dentials icred = new System.Net.Netw orkCredential(m _User,m_Pwd,m_D omain)

Much better way is to use the currently cached windows credentials
m_ System.Net.ICre dentials icred = System.Net.Cred entialCache.Def aultCredentials
Sorry if this is not enough, but the security is not something you cannot implement in few minutes. One good solution provides a good security concept. It is not only enough that your application just properly runs. It is also VERY IMPORTANT that your application runs secured. I propose you search for more information in MSDN following keywords

PrincipalPermis sionAttribute, impersonation, web.config, NTLM, DefaultCredenti als, Credentials â€