The downloaded (retrieved) content from the 3rd party data store is not done by the user, but by a process on the web server. The Internet user initiates one process through the website directly on the web server. That process will launch a second process to retrieve the requested PDF from the 3rd party data store if and only if the requested PDF is not already in the local data share. The end user has no control over the retrieval from the 3rd party site. They are simply requesting display of the data sheet but they do not know from where it is coming from. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, September 23, 2006 6:35 AM To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx Subject: [isapros] Re: How to on ISA 2006 Maybe I missed something, but how and where does ISA or IIS validate the original source of content delivered by user? Remember; the source & destination servers have no direct knowledge of each other. _____ From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) Sent: Fri 9/22/2006 10:00 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: How to on ISA 2006 It's John though, so let's give this one a go... We've got an internal server that needs to download content on demand and write it to a shared folder for internal use. Only this "process" should have write access to the share (everyone else is read only), and only the PDF's from the trusted host should be written. There are administrative questions I have in general that don't speak to solving the problem, but I've got to ask them: 1. what happens if a PDF gets updated by the main server? How will the "new" content be downloaded? 2. why store the content locally in the first place when the client can dl it right from the source? 3. Why not just get a DVD of the PDF's from the source? [So, let's ignore those for now..] Jim skipped over some steps in his answer, but yes, ISA can't determine the original source of a document that someone may want to upload to a share once they've got it on the local host. But we may be able to combine some mechanisms to arrive at a solution. Obviously, the main threat is that the current config allows IIS' anonymous access user to write to a shared directory. An attacker could leverage this to upload malicious content to the server and own assets. So, the "download process" should be separated from the "anonymous user" context. Set up two users: one for the IIS anonymous user, and one for the download process. The IIS user has READ rights only to the directory and explicit deny WRITE rights. The download process has WRITE only rights to the directory. Both users explicitly have DENY EXECUTE rights. Client user requests PDF that does not exist. IIS user calls to RUNAS job under creds of "process" job, passing it the URL for the fie. The process user calls for a download of the PDF. From an ISA standpoint, there is an access rule that allows the "process" user to download PDF content from only the internet host system, followed by a DENY ALL rule for that user to cover anything else. The process writes the file to the shared directory. The IIS user can then pass the file to the client user with READ rights. This way, the IIS user can only READ, and the "process" user can only WRITE, and neither can EXECUTE. ISA can limit what the "process" user can download and from where, and you don't have to worry about exploits against the IIS user. Even if the IIS user is compromised and the "process" user's creds exposed, the attacker could only download PDF's from the approved host. Further, you can use Group Policy to explicitly deny network access to the rest of the network for the "process" user as you will know that all of that user's access is local to the IIS box, and this gives you added security. Same for the IIS user. Is this along the lines of the solution you were looking for? t On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: There is no way for ISA to determine the original source of content (regardles of file type) delivered via an HTTP stream. A file JoeBobAlooba sends you a file from his desktop looks exactly the same as one he pulled it from a remote share. Unless the server / client applications define it in some way, there is no such context as "file properties" or "originator" in HTTP other than a "referer" header and this only erfers to the site that sent JoeBobAlooba to your site. Even then, there is no way to define "block all except" in HTTP signatures - it's "block this" only. _____ From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists) Sent: Thu 9/21/2006 6:18 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: How to on ISA 2006 ASP. Website is on an internal server. ISA is ISA only. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) Sent: Thursday, September 21, 2006 4:29 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: How to on ISA 2006 Can you give more information about the process doing the downloading? .NET or ASP based? The ISA box is not the same box, right? t On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh to all: This is a new one for me but I am sure ISA can do this but I need pointers in the director of how to. Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS anonymous user is a domain account properly configured. There will be a function of a sub-site of the company website (forced SSL) that will return and display information as a result set for a part search. Part of that displayed information will be a web button displayed that if there is a PDF document available for specs for that part will either A) open the PDF in a new window if the document exists on the data share on the local server or B) if the PDF document does not exist on the data share of the local server retrieve it from the 3rd party master data store on the Internet and add (write) it to the data share of the local server and then display it in a new window. The concern is to ensure that only PDF documents from that 3rd party master data store on the Internet can be added (written) to the data share of the local server since the anonymous user for the site will have write permission for that directory. What can be done on the ISA server to prevent writing to the data share except for PDF documents from that 3rd party master data store? John T eServices For You "Seek, and ye shall find!" All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.