[isapros] Re: How to on ISA 2006
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>,<isapros@xxxxxxxxxxxxx>
- Date: Sat, 23 Sep 2006 06:34:31 -0700
Maybe I missed something, but how and where does ISA or IIS validate the
original source of content delivered by user? Remember; the source &
destination servers have no direct knowledge of each other.
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Fri 9/22/2006 10:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
It's John though, so let's give this one a go...
We've got an internal server that needs to download content on demand and write
it to a shared folder for internal use. Only this "process" should have write
access to the share (everyone else is read only), and only the PDF's from the
trusted host should be written.
There are administrative questions I have in general that don't speak to
solving the problem, but I've got to ask them:
1. what happens if a PDF gets updated by the main server? How will the
"new" content be downloaded?
2. why store the content locally in the first place when the client can dl
it right from the source?
3. Why not just get a DVD of the PDF's from the source?
[So, let's ignore those for now..]
Jim skipped over some steps in his answer, but yes, ISA can't determine the
original source of a document that someone may want to upload to a share once
they've got it on the local host. But we may be able to combine some
mechanisms to arrive at a solution.
Obviously, the main threat is that the current config allows IIS' anonymous
access user to write to a shared directory. An attacker could leverage this to
upload malicious content to the server and own assets. So, the "download
process" should be separated from the "anonymous user" context.
Set up two users: one for the IIS anonymous user, and one for the download
process. The IIS user has READ rights only to the directory and explicit deny
WRITE rights. The download process has WRITE only rights to the directory.
Both users explicitly have DENY EXECUTE rights.
Client user requests PDF that does not exist. IIS user calls to RUNAS job
under creds of "process" job, passing it the URL for the fie. The process user
calls for a download of the PDF. From an ISA standpoint, there is an access
rule that allows the "process" user to download PDF content from only the
internet host system, followed by a DENY ALL rule for that user to cover
anything else. The process writes the file to the shared directory. The IIS
user can then pass the file to the client user with READ rights.
This way, the IIS user can only READ, and the "process" user can only WRITE,
and neither can EXECUTE. ISA can limit what the "process" user can download
and from where, and you don't have to worry about exploits against the IIS
user. Even if the IIS user is compromised and the "process" user's creds
exposed, the attacker could only download PDF's from the approved host.
Further, you can use Group Policy to explicitly deny network access to the rest
of the network for the "process" user as you will know that all of that user's
access is local to the IIS box, and this gives you added security. Same for
the IIS user.
Is this along the lines of the solution you were looking for?
t
On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
There is no way for ISA to determine the original source of content
(regardles of file type) delivered via an HTTP stream. A file JoeBobAlooba
sends you a file from his desktop looks exactly the same as one he pulled it
from a remote share. Unless the server / client applications define it in some
way, there is no such context as "file properties" or "originator" in HTTP
other than a "referer" header and this only erfers to the site that sent
JoeBobAlooba to your site.
Even then, there is no way to define "block all except" in HTTP
signatures - it's "block this" only.
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists)
Sent: Thu 9/21/2006 6:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
ASP. Website is on an internal server. ISA is ISA only.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Thursday, September 21, 2006 4:29 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
Can you give more information about the process doing the downloading?
.NET or ASP based? The ISA box is not the same box, right?
t
On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>
spoketh to all:
This is a new one for me but I am sure ISA can do this but I need
pointers in the director of how to.
Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS
anonymous user is a domain account properly configured.
There will be a function of a sub-site of the company website (forced
SSL) that will return and display information as a result set for a part
search. Part of that displayed information will be a web button displayed that
if there is a PDF document available for specs for that part will either A)
open the PDF in a new window if the document exists on the data share on the
local server or B) if the PDF document does not exist on the data share of the
local server retrieve it from the 3rd party master data store on the Internet
and add (write) it to the data share of the local server and then display it in
a new window.
The concern is to ensure that only PDF documents from that 3rd party
master data store on the Internet can be added (written) to the data share of
the local server since the anonymous user for the site will have write
permission for that directory.
What can be done on the ISA server to prevent writing to the data share
except for PDF documents from that 3rd party master data store?
John T
eServices For You
"Seek, and ye shall find!"
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
