FW: Unauthorised access
- From: "Sullivan, Neil (CALBRIS)" <Neil.Sullivan@xxxxxxxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List] (E-mail)" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 28 Nov 2002 17:07:38 +1000
Bit more context for this one, is looked thru the logs again and this is the
tail end of the log. There are about a dozen or so of these, all slightly
different of course.
To me it seems the ISA returned no page to the user?
Should this have ever hit the logs? The user was resolved - not anonymous..
IP.IP.IP.IP, Domain\User, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1),
-, 9/27/2002, 7:57:27, -, PROXY, -, -, -, 0, 125, 479, 0, -, -, GET,
http://www.nastyurl.com/images/page1_02.jpg, -, -, 12209, -, -, -
Is this correct behaviour?
> -----Original Message-----
> From: Sullivan, Neil (CALBRIS)
> Sent: Thursday, 28 November 2002 4:40 PM
> To: [ISAserver.org Discussion List] (E-mail)
> Subject: Unauthorised access
>
>
> Got a strange problem with an ISA SP1 Cache only server.
>
> Access to the Internet is via Group membership, applied to site and content
> rules.
>
> So far so good, been working OK for ages, but now someone has turned up in
> the logs who does NOT have access via the group membership.
>
> Furthermore, looking thru the security log, there is no evidence of this
> person ever having authenticated with the ISA..
> ISA is set to Authenticate Users, using Basic and Windows authentication.
>
> Tests have shown that removing a legitimate user from the Group does remove
> their access - as it should.
>
> So how does my mystery user get access? It's not via any nested group
> membership either.
>
> I'm stuffed if I can find out..
>
> Cheers
> Neil
>
>
>
Other related posts:
