I want per-process auth; only then can we know what's happening to what according to whom. biometrics are difficult to apply to "localsystem" apps and services... ..maybe a script? ;-) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 12, 2003 10:23 Subject: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org Hi Jim, You bet. Web Server on the Firewall is like Mustard and Chocolate. Tastes OK until you puke ;-) But but but, you can require client certificate authentication AND an IPSec transport mode connection to the Web site. And..and..and we could require two-factor auth requiring Biometric input :-D Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, November 12, 2003 10:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org You don't have to install it on the firewall; that's clear from the docs or even Tom would have screamed. I agree that a good auth mechanism helps here, but that doesn't mean that another process can't hijack the admin window and take advantage of a weakened IIS server. I like a web-based admin; it's a fairly popular request in the NG. It just needs to be done properly... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 12, 2003 07:47 Subject: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org I agree with Jim on Parent Path problem. I really don´t like running a webserver on the Firewall. Why don`t start a poll here on the list to see the real need for Web Administration on ISAServer 2000 ?? I Don`t need. Gabriel Zabal gabriel@xxxxxxxxxx -----Mensaje original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Enviado el: miércoles, 12 de noviembre de 2003 15:46 Para: [ISAserver.org Discussion List] Asunto: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org Hi Jim, How about requiring user certificate authentication for the Web site? If someone can subvert that, then its just about game over because then PKI is dusted. Thanks! Tom -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, November 12, 2003 7:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org Hi Tom, Perhaps; unless you web-publish it. That's the big selling point; "admin your ISA from anywhere without the need for MMC". URLScan blocks parent paths by default, so you have to either: - disable URLScan (not in my lifetime) - disable URLScan PP filtering (not in your lifetime) - server publish this connection (great, another dedicated IP because the web site is "picky") This was just a bad design choice on their part. It's fixable with proper recoding of their pages. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Tue, 11 Nov 2003 22:56:44 -0600 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim, But its not going to be accessible from untrusted networks ;-) Tom -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, November 11, 2003 6:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: FYI: Web based ISA administration http://www.ISAserver.org EEeeeeek! System requirements : ..Parent Paths must be enabled. Bad, bad web-devs! Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 11, 2003 15:48 Subject: [isalist] FYI: Web based ISA administration http://www.ISAserver.org Products: http://www.geniework.com/en/products/default.htm ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*