1

I have set up a website using IIS and ASP.NET which grants access to users using a separate authentication server.

Therefore, in the web.config of my website I've added a module, which is a separate, 3rd party dll and will be loaded first when a user connects to the website, and which provides a redirect to the authentication server and manages the access accordingly.

To do this, my website is set up to use Anonymous authentication, leaving everything in charge to the 3rd party dll.

From a user perspective, everything works fine: users cannot access the website content without having authenticated on the separate server; however, there are certain folders of the website which seem to be accessible to anyone without authenticating.

For instance, if my website is: Www.example.com/myWebsite/Default.aspx I have created a subfolder called "Temp": Www.example.com/myWebsite/Temp Where I store temporary files. I noticed that this folder "bypasses" the authentication logic above: anyone can go to, i.e. Www.example.com/myWebsite/Temp/file.txt And download such file without authenticating.

Am I missing some configuration of IIS? Or does it look like there is a security flaw in the 3rd party authentication dll?

alex93
  • 65
  • 5
  • Why would you think that access to the Temp folder would be restricted? What piece of code or configuration did you think was handling that for you? Can you share it in your question, as a [mcve]? – mason May 05 '21 at 19:42
  • either you use IIS services to authenticate your users or you don't. If you don't, then you are rolling your own or using some 3rd party system.. If some 3rd party .dll is supposed to provide security, then you better email them and ask them how it supposed to work. it is ALWAYS but ALWAYS a VERY bad idea to attempt security on a web site that does not involve or using IIS security - just a REALLY bad idea. If you had correctly used IIS security, then simply adding a web.config to that folder is all you would require for securing that folder. so now you have to write code for security. . – Albert D. Kallal May 05 '21 at 20:28
  • So, yes - you have to contact and ask the makers of that .dll how security supposed to work since you dumped the use of the IIS security model. – Albert D. Kallal May 05 '21 at 20:29
  • https://stackoverflow.com/questions/11048863/modules-runallmanagedmodulesforallrequests-true-meaning If built-in modules like forms authentication can work for all requests, then the same should apply to that third party module. Please confirm with the vendor and learn to fully utilize it. – Lex Li May 05 '21 at 20:54
  • 1
    "it is ALWAYS but ALWAYS a VERY bad idea to attempt security on a web site that does not involve or using IIS security - just a REALLY bad idea." I wonder from where you learned that @AlbertD.Kallal but it is not correct today. Modern sites are moving to new ways like OAuth, which isn't an IIS built-in authentication approach. – Lex Li May 05 '21 at 20:58
  • Well, then to secure a simple web page and folder - you in for some extra work. Regardless of my views on this matter? You need to adopt and use the security model supplied by the external .dll you using for such security. You can adopt external providers, and in most cases that means such security providers DO provide a interface to IIS based on the IIS security model interface. As a result, you can say use FBA (the default, or say using windows authentication - but in both cases they respect the IIS security model and work seamless with IIS). – Albert D. Kallal May 05 '21 at 21:02
  • And in my case, I did write a custom secuirty provider. But it inherited and use the base class(s) and IIS secuirty model. In other words EVEN when you adopt a 3rd party secuirty model, they respect and use and leverage the IIS api's and existing secuirty model. So you can well use + adopt external security models - but in near all cases, they are adopted and work with IIS security. So you can even roll your own security, but one would expect that even when doing so, you write to IIS security interface standards so all of the built in management tools in IIS will still work to provide secuirty – Albert D. Kallal May 05 '21 at 21:05
  • So, my point stands. You don't want to adopt a security model that does not interface and involve IIS security. So the point was never that you don't adopt an new external security model provider - that occurs all the time. but even when you do this, you still get to use the IIS security settings to secure folders, and use the built in methods such as Roles.IsUserInRole("PortalMaster") for example. It is very possible that your 3rd party system respects IIS security settings. This would thus prevent users from using pages or folders unless they are a member of a given security group. – Albert D. Kallal May 05 '21 at 21:14
  • Take a look at:https://stackoverflow.com/questions/34313670/prevent-direct-access-to-files-on-iis-server – Theobald Du May 06 '21 at 02:07
  • @AlbertD.Kallal Again: there are modern security systems that really have nothing to do with IIS. With most of them, when running in IIS you must set IIS to Anonymous Authentication so that IIS doesn't get in the way. You're being very forceful in your words, and I get that you're trying to promote security. But what you're saying simply is inaccurate. Rather than saying one must use IIS, you might instead say something like "don't roll your own security system, use one that's been battle tested by others". – mason May 06 '21 at 13:26
  • I will note that a good number authentication providers that one can and would adopt do work with IIS. I only suggesting that one really should try and leverage the IIS security model - and this applies when using new auth providers. As noted, once done then just dropping in a web.config file in any of those folders gets you security - and all without having to code this out. As noted, since you using a custom provider and one that's not hooked into IIS, then you have to check/see/find how and what that vendor supports in regards to securing that sub folder. But your position/points are fair – Albert D. Kallal May 06 '21 at 20:00

0 Answers0