[isapros] Re: How to on ISA 2006
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 23 Sep 2006 14:48:25 -0700
ah - the light doth flicker...
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists)
Sent: Sat 9/23/2006 9:19 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
The downloaded (retrieved) content from the 3rd party data store is not done by
the user, but by a process on the web server.
The Internet user initiates one process through the website directly on the web
server. That process will launch a second process to retrieve the requested PDF
from the 3rd party data store if and only if the requested PDF is not already
in the local data share. The end user has no control over the retrieval from
the 3rd party site. They are simply requesting display of the data sheet but
they do not know from where it is coming from.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Saturday, September 23, 2006 6:35 AM
To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
Maybe I missed something, but how and where does ISA or IIS validate the
original source of content delivered by user? Remember; the source &
destination servers have no direct knowledge of each other.
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Fri 9/22/2006 10:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
It's John though, so let's give this one a go...
We've got an internal server that needs to download content on demand and write
it to a shared folder for internal use. Only this "process" should have write
access to the share (everyone else is read only), and only the PDF's from the
trusted host should be written.
There are administrative questions I have in general that don't speak to
solving the problem, but I've got to ask them:
1. what happens if a PDF gets updated by the main server? How will the
"new" content be downloaded?
2. why store the content locally in the first place when the client can dl
it right from the source?
3. Why not just get a DVD of the PDF's from the source?
[So, let's ignore those for now..]
Jim skipped over some steps in his answer, but yes, ISA can't determine the
original source of a document that someone may want to upload to a share once
they've got it on the local host. But we may be able to combine some
mechanisms to arrive at a solution.
Obviously, the main threat is that the current config allows IIS' anonymous
access user to write to a shared directory. An attacker could leverage this to
upload malicious content to the server and own assets. So, the "download
process" should be separated from the "anonymous user" context.
Set up two users: one for the IIS anonymous user, and one for the download
process. The IIS user has READ rights only to the directory and explicit deny
WRITE rights. The download process has WRITE only rights to the directory.
Both users explicitly have DENY EXECUTE rights.
Client user requests PDF that does not exist. IIS user calls to RUNAS job
under creds of "process" job, passing it the URL for the fie. The process user
calls for a download of the PDF. From an ISA standpoint, there is an access
rule that allows the "process" user to download PDF content from only the
internet host system, followed by a DENY ALL rule for that user to cover
anything else. The process writes the file to the shared directory. The IIS
user can then pass the file to the client user with READ rights.
This way, the IIS user can only READ, and the "process" user can only WRITE,
and neither can EXECUTE. ISA can limit what the "process" user can download
and from where, and you don't have to worry about exploits against the IIS
user. Even if the IIS user is compromised and the "process" user's creds
exposed, the attacker could only download PDF's from the approved host.
Further, you can use Group Policy to explicitly deny network access to the rest
of the network for the "process" user as you will know that all of that user's
access is local to the IIS box, and this gives you added security. Same for
the IIS user.
Is this along the lines of the solution you were looking for?
t
On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
There is no way for ISA to determine the original source of content (regardles
of file type) delivered via an HTTP stream. A file JoeBobAlooba sends you a
file from his desktop looks exactly the same as one he pulled it from a remote
share. Unless the server / client applications define it in some way, there is
no such context as "file properties" or "originator" in HTTP other than a
"referer" header and this only erfers to the site that sent JoeBobAlooba to
your site.
Even then, there is no way to define "block all except" in HTTP signatures -
it's "block this" only.
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists)
Sent: Thu 9/21/2006 6:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
ASP. Website is on an internal server. ISA is ISA only.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
Sent: Thursday, September 21, 2006 4:29 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
Can you give more information about the process doing the downloading? .NET or
ASP based? The ISA box is not the same box, right?
t
On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh to
all:
This is a new one for me but I am sure ISA can do this but I need pointers in
the director of how to.
Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS
anonymous user is a domain account properly configured.
There will be a function of a sub-site of the company website (forced SSL) that
will return and display information as a result set for a part search. Part of
that displayed information will be a web button displayed that if there is a
PDF document available for specs for that part will either A) open the PDF in a
new window if the document exists on the data share on the local server or B)
if the PDF document does not exist on the data share of the local server
retrieve it from the 3rd party master data store on the Internet and add
(write) it to the data share of the local server and then display it in a new
window.
The concern is to ensure that only PDF documents from that 3rd party master
data store on the Internet can be added (written) to the data share of the
local server since the anonymous user for the site will have write permission
for that directory.
What can be done on the ISA server to prevent writing to the data share except
for PDF documents from that 3rd party master data store?
John T
eServices For You
"Seek, and ye shall find!"
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
