[isapros] Re: How to on ISA 2006
- From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sat, 23 Sep 2006 09:19:32 -0700
The downloaded (retrieved) content from the 3rd party data store is not done
by the user, but by a process on the web server.
The Internet user initiates one process through the website directly on the
web server. That process will launch a second process to retrieve the
requested PDF from the 3rd party data store if and only if the requested PDF
is not already in the local data share. The end user has no control over the
retrieval from the 3rd party site. They are simply requesting display of the
data sheet but they do not know from where it is coming from.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Saturday, September 23, 2006 6:35 AM
To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
Maybe I missed something, but how and where does ISA or IIS validate the
original source of content delivered by user? Remember; the source &
destination servers have no direct knowledge of each other.
_____
From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Fri 9/22/2006 10:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
It's John though, so let's give this one a go...
We've got an internal server that needs to download content on demand and
write it to a shared folder for internal use. Only this "process" should
have write access to the share (everyone else is read only), and only the
PDF's from the trusted host should be written.
There are administrative questions I have in general that don't speak to
solving the problem, but I've got to ask them:
1. what happens if a PDF gets updated by the main server? How will the
"new" content be downloaded?
2. why store the content locally in the first place when the client can
dl it right from the source?
3. Why not just get a DVD of the PDF's from the source?
[So, let's ignore those for now..]
Jim skipped over some steps in his answer, but yes, ISA can't determine the
original source of a document that someone may want to upload to a share
once they've got it on the local host. But we may be able to combine some
mechanisms to arrive at a solution.
Obviously, the main threat is that the current config allows IIS' anonymous
access user to write to a shared directory. An attacker could leverage this
to upload malicious content to the server and own assets. So, the "download
process" should be separated from the "anonymous user" context.
Set up two users: one for the IIS anonymous user, and one for the download
process. The IIS user has READ rights only to the directory and explicit
deny WRITE rights. The download process has WRITE only rights to the
directory. Both users explicitly have DENY EXECUTE rights.
Client user requests PDF that does not exist. IIS user calls to RUNAS job
under creds of "process" job, passing it the URL for the fie. The process
user calls for a download of the PDF. From an ISA standpoint, there is an
access rule that allows the "process" user to download PDF content from only
the internet host system, followed by a DENY ALL rule for that user to cover
anything else. The process writes the file to the shared directory. The
IIS user can then pass the file to the client user with READ rights.
This way, the IIS user can only READ, and the "process" user can only WRITE,
and neither can EXECUTE. ISA can limit what the "process" user can
download and from where, and you don't have to worry about exploits against
the IIS user. Even if the IIS user is compromised and the "process" user's
creds exposed, the attacker could only download PDF's from the approved
host. Further, you can use Group Policy to explicitly deny network access
to the rest of the network for the "process" user as you will know that all
of that user's access is local to the IIS box, and this gives you added
security. Same for the IIS user.
Is this along the lines of the solution you were looking for?
t
On 9/21/06 9:18 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
There is no way for ISA to determine the original source of content
(regardles of file type) delivered via an HTTP stream. A file JoeBobAlooba
sends you a file from his desktop looks exactly the same as one he pulled it
from a remote share. Unless the server / client applications define it in
some way, there is no such context as "file properties" or "originator" in
HTTP other than a "referer" header and this only erfers to the site that
sent JoeBobAlooba to your site.
Even then, there is no way to define "block all except" in HTTP signatures -
it's "block this" only.
_____
From: isapros-bounce@xxxxxxxxxxxxx on behalf of John T (Lists)
Sent: Thu 9/21/2006 6:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
ASP. Website is on an internal server. ISA is ISA only.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
Sent: Thursday, September 21, 2006 4:29 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: How to on ISA 2006
Can you give more information about the process doing the downloading? .NET
or ASP based? The ISA box is not the same box, right?
t
On 9/21/06 1:03 PM, "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> spoketh
to all:
This is a new one for me but I am sure ISA can do this but I need pointers
in the director of how to.
Internal server is running IIS 6.0 on Windows 2003 Standard server. IIS
anonymous user is a domain account properly configured.
There will be a function of a sub-site of the company website (forced SSL)
that will return and display information as a result set for a part search.
Part of that displayed information will be a web button displayed that if
there is a PDF document available for specs for that part will either A)
open the PDF in a new window if the document exists on the data share on the
local server or B) if the PDF document does not exist on the data share of
the local server retrieve it from the 3rd party master data store on the
Internet and add (write) it to the data share of the local server and then
display it in a new window.
The concern is to ensure that only PDF documents from that 3rd party master
data store on the Internet can be added (written) to the data share of the
local server since the anonymous user for the site will have write
permission for that directory.
What can be done on the ISA server to prevent writing to the data share
except for PDF documents from that 3rd party master data store?
John T
eServices For You
"Seek, and ye shall find!"
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
