Re: FYI: Web based ISA administration
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 12 Nov 2003 10:31:11 -0800
I want per-process auth; only then can we know what's happening to what
according to whom.
biometrics are difficult to apply to "localsystem" apps and services...
..maybe a script?
;-)
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 12, 2003 10:23
Subject: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
Hi Jim,
You bet. Web Server on the Firewall is like Mustard and Chocolate. Tastes OK
until you puke ;-)
But but but, you can require client certificate authentication AND an IPSec
transport mode connection to the Web site. And..and..and we could require
two-factor auth requiring Biometric input :-D
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, November 12, 2003 10:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
You don't have to install it on the firewall; that's clear from the docs or
even Tom would have screamed.
I agree that a good auth mechanism helps here, but that doesn't mean that
another process can't hijack the admin window and take advantage of a
weakened IIS server.
I like a web-based admin; it's a fairly popular request in the NG.
It just needs to be done properly...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Gabriel O. Zabal" <gabriel@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 12, 2003 07:47
Subject: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
I agree with Jim on Parent Path problem.
I really don´t like running a webserver on the Firewall.
Why don`t start a poll here on the list to see the real need for Web
Administration on ISAServer 2000 ??
I Don`t need.
Gabriel Zabal
gabriel@xxxxxxxxxx
-----Mensaje original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Enviado el: miércoles, 12 de noviembre de 2003 15:46
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
Hi Jim,
How about requiring user certificate authentication for the Web site? If
someone can subvert that, then its just about game over because then PKI
is dusted.
Thanks!
Tom
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, November 12, 2003 7:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
Hi Tom,
Perhaps; unless you web-publish it.
That's the big selling point; "admin your ISA from anywhere without the
need for MMC".
URLScan blocks parent paths by default, so you have to either:
- disable URLScan (not in my lifetime)
- disable URLScan PP filtering (not in your lifetime)
- server publish this connection (great, another dedicated IP because
the web site is "picky")
This was just a bad design choice on their part.
It's fixable with proper recoding of their pages.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Tue, 11 Nov 2003 22:56:44 -0600
"Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
Hi Jim,
But its not going to be accessible from untrusted networks ;-)
Tom
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, November 11, 2003 6:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: FYI: Web based ISA administration
http://www.ISAserver.org
EEeeeeek!
System requirements :
..Parent Paths must be enabled.
Bad, bad web-devs!
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 11, 2003 15:48
Subject: [isalist] FYI: Web based ISA administration
http://www.ISAserver.org
Products: http://www.geniework.com/en/products/default.htm
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
Other related posts:
