Programmatically Administering the Directory Security Property Sheet

   

Programmatically Administering the Directory Security Property Sheet

Using the Directory Security properties of IIS, as shown in Figure 9.12, you can designate the authentication method(s) employed for the site as well as its SSL usage parameters, and even restrict which IP addresses and domains will have access to the file resources of the site.

Administrators who assign permissions to files and directories in the file system (rather than allowing the default Everyone ”Full Control NTFS Permissions to remain ) will undoubtedly agree that proper file and directory permissioning is an extremely tedious process. After the permissions on the directories have been assigned, access control is governed by membership in NT security groups.

Figure 9.12. Default Web Site Properties Configuration dialog box ”Directory Security tab.

graphics/09fig12.gif

In large distributed environments, this process becomes even more tedious; the engineers , architects , and developers creating these solutions architectures are often dependent upon another group to bring their work into reality. Such an environment requires detailed planning, many hours in a laboratory environment, and, of course, excellent documentation.

An alternative to this is to spend time in the laboratory creating a script, which, upon completion, can be easily sent to anyone in the enterprise and executed using the procedure you refined in the lab.

Authentication Methods

When it comes to IIS, there is an extremely tight coupling between NTFS permissions and the IIS authentication method used to verify user credentials. Any developer expecting flawless implementation of their latest Web application should carefully consider creating an IIS deployment package. By combining a CACLs script with the authentication control features in ADSI, implementation of a new Web application becomes more reliable and significantly less tedious.

As shown in Figure 9.13, IIS provides a graphical user interface within the Internet Service Manager to manipulate the authentication methods used for a resource. Using the AuthAnonymous , AuthBasic , AuthNTLM , and AuthFlags properties, you can programmatically manipulate the authentication method configuration.

Figure 9.13. Authentication Methods dialog box.

graphics/09fig13.gif

Using these properties, you can enable multiple authentication methods for any given resource. When anonymous access is enabled, IIS will try to use the anonymous account before attempting to use client credentials. If the anonymous account is not authorized to access the requested resource and basic authentication is enabled on the resource, IIS will prompt the user to enter a set of credentials authorized to access the resource.

Using NTLM, if the client's installation of Internet Explorer is configured to supply credentials automatically, the user's credentials will automatically be examined to determine whether they will allow access to the resource. If not, the user is prompted for a set of credentials authorized to access the resource.

Note

In environments where either Internet Explorer or Netscape Navigator (or another browser) is used, you should enable both basic and NTLM authentication methods when securing a resource to assure compatibility with all major browser types. By default, Internet Explorer will attempt to request to use NTLM authentication before prompting the user for credentials to be passed using the basic authentication method .


Querying Authentication Methods Used for a Given Resource Using Visual Basic

To find which authentication method is in place for a particular resource, use the following Visual Basic code:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Debug.Print "Authentication Methods for " & Resource.AdsPath & ":" Debug.Print "" Debug.Print "Anonymous Access:" & vbTab & vbTab & Resource.AuthAnonymous If Resource.AuthAnonymous = True Then   Debug.Print vbTab & "Anonymous User Account Name:" & vbTab & vbTab & vbTab & vbTab & Resource.AnonymousUsername   Debug.Print vbTab & "Anonymous User Account Password:" & vbTab & vbTab & vbTab &_ Resource.AnonymousUserPass   Debug.Print vbTab & "Anonymous User Password Synchronization:" & vbTab & graphics/ccc.gif Resource.AnonymousPasswordSync End If Debug.Print "Basic Authentication:" & vbTab & Resource.AuthBasic If Resource.AuthBasic = True Then   Debug.Print vbTab & "Default Authentication Domain: " & vbTab & vbTab & vbTab & vbTab &_ Resource.DefaultLogonDomain End If Debug.Print "NTLM Authentication:" & vbTab & Resource.AuthNTLM 
Anonymous Access

To use anonymous access for a directory, you must also assign a username and password to be used to access the directory. To do this, you can modify the AnonymousUserName , AnonymousUserPass , and AnonymousPasswordSync properties, as shown in Figure 9.14.

Figure 9.14. Anonymous User Account configuration dialog box.

graphics/09fig14.gif

Enabling Anonymous Access Using Visual Basic

To allow anonymous access for a given resource, use the following Visual Basic code:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableAnonymousAccess As Boolean Dim AnonUserName as String Dim AnonUserPassword as String Dim AnonPasswordSync as Boolean ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableAnonymousAccess = True AnonUserName = "Username_for_Anonymous_Access" AnonUserPassword = "Password_for_Anonymous_Access_Account" AnonPasswordSync = True Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthAnonymous = EnableAnonymousAccess Resource.AnonymousUsername = AnonUserName Resource.AnonymousUserPass = AnonUserPassword Resource.AnonymousPasswordSync = AnonPasswordSync Resource.SetInfo 
Basic Authentication

If you must allow non-Microsoft browsers to view your site, you have no choice but to use basic authentication to secure the site. In this authentication method, the password is passed in clear text across the wire, making this a poor choice for any high security site unless SSL is used in conjunction with the basic authentication method.

As shown in Figure 9.15, in this authentication method, you can define the default domain used for authentication if the user does not specify the domain associated with the user account. Programmatically, the default domain is set using the DefaultLogonDomain property.

Figure 9.15. Basic Authentication Domain dialog box.

graphics/09fig15.gif

Enabling Basic Authentication Using Visual Basic

To enable basic authentication for a given resource, use the following Visual Basic code:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableBasicAuth As Boolean Dim DefaultLogonDomain as String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableBasicAuth = True DefaultLogonDomain = "Domain_Used_for_Authentication" Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthBasic= EnableBasicAuth Resource.DefaultLogonDomain = DefaultLogonDomain Resource.SetInfo 
NTLM Authentication

If your enterprise has chosen Internet Explorer as the browser of choice for the organization, you should implement the NTLM authentication method for all intranet sites. In addition to eliminating the need to transmit the password across the wire in clear-text, NTLM authentication also allows credentials to be presented without user intervention.

Enabling NTLM Authentication Using Visual Basic

To enable the use of the NTLM authentication method for a given resource, use the following Visual Basic code:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableNTLMAuth As Boolean ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableNTLMAuth = True Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthNTLM= EnableNTLMAuth Resource.SetInfo 

Secure Communications

After installing an SSL certificate using Key Manager, you can assign the key to various resources and define the client authentication behavior using programmatic methods, as shown in Figure 9.16.

Figure 9.16. Default Web Site Properties Configuration dialog box ”Directory Security tab (SSL Certificate Installed).

graphics/09fig16.gif

Among these options, you can require that a particular site accepts requests only across a secure channel. Additionally, you can specify that all requests to a resource are restricted to 128-bit encryption.

If clients have X.509 certificates, IIS can map NT usernames to the client certificate to assure the identity of the user. To map users to X.509 certificates, you must perform this action in the MMC. Although you cannot easily map user accounts to X.509 certificates using ADSI, you can, however, specify the default behavior (accept, deny, require) of client certificates for the resource, as shown in Figure 9.17.

Figure 9.17. Secure Communications dialog box.

graphics/09fig17.gif

Querying Secure Communication Configuration Using Visual Basic

Using the following Visual Basic code, each SSL property for a given resource can be displayed:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Debug.Print "Require SSL:" & vbTab & vbTab & vbTab & vbTab & vbTab & vbTab & vbTab & graphics/ccc.gif Resource.AccessSSL Debug.Print "Require 128-bit SSL:" & vbTab & vbTab & vbTab & vbTab & vbTab & graphics/ccc.gif Resource.AccessSSL128 Debug.Print "Map Client Certificates to NT UserIDs:" & vbTab & vbTab & graphics/ccc.gif Resource.AccessSSLMapCert Debug.Print "Negotiate Client Certificates:" & vbTab & vbTab & vbTab & graphics/ccc.gif Resource.AccessSSLNegotiateCert Debug.Print "Require Client Certificates:" & vbTab & vbTab & vbTab & vbTab & graphics/ccc.gif Resource.AccessSSLRequireCert 
Setting New Secure Communication Configuration Using Visual Basic

Using the following Visual Basic code, each available SSL property is manipulated:

 Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AccessSSL = True Resource.AccessSSL128 = True Resource.AccessSSLMapCert = True Resource.AccessSSLNegotiateCert = True Resource.AccessSSLRequireCert = True Resource.SetInfo 

To re-create the behavior of the ISM dialog box, use Table 9.5.

Table 9.5. ISM Settings and Property Assignments
ISM Setting Property Assignments
Require secure channel when accessing this resource AccessSSL = True
Require 128-bit encryption AccessSSL128 = True
Do not accept client certificates AccessSSLNegotiateCert = False
Accept certificates AccessSSLNegotiateCert = True
Require client certificates AccessSSL = True AccessSSLNegotiateCert = True AccessSSLRequireCert = True
Enable client certificate mapping AccessSSLMapCert = True

Restricting Access by IP Address

Using IP address restrictions, you can ensure that certain clients do not access a particular resource. To perform this task, you can configure IIS to reject all clients presenting a specific IP address in the HTTP request header if it matches the address ranges configured in the IPSecurity property, as shown in Figure 9.18.

Figure 9.18. IP Address and Domain Name Restrictions dialog box.

graphics/09fig18.gif

Although you can also configure IIS to limit access by DNS domain, Microsoft strongly advises against this access control method because reverse DNS lookup is required for each request. If at all possible, this method should be avoided to eliminate the significant performance penalties incurred by these queries.

IP security requires construction of an array of IP addresses that are consequently assigned to one of the properties of the IPSecurity object listed in Table 9.6.

Table 9.6. IPSecurity Object Properties and Descriptions
Property Description
IPGrant Array of IP Addresses granted access ”stored in variant array of strings in format IPAddress, Subnet Mask
IPDeny Array of IP Addresses denied access ”stored in variant array of strings in format IPAddress, Subnet Mask
DomainGrant Array of strings representing DNS domains granted access to resources
DomainDeny Array of strings representing DNS domains denied access to resources
Querying IP Address Restrictions Using Visual Basic

To find the current IP address and DNS domain restrictions effective for a particular site, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Set IPSecurity = Site.IPSecurity If IPSecurity.GrantByDefault Then      Debug.Print "All addresses will be allowed, except as follows:"      For Each Entry In IPSecurity.IPDeny           If InStr(1, Entry, "255.255.255.255") Then                Debug.Print vbTab & "Denied IP: " & vbTab & vbTab & Replace(Entry, ", graphics/ccc.gif 255.255.255.255", "")           Else                Debug.Print vbTab & "Denied Subnet: " & vbTab & Entry           End If      Next      For Each Entry In IPSecurity.DomainDeny           Debug.Print vbTab & "Denied Domain: " & vbTab & Entry      Next Else      Debug.Print "All addresses will be blocked, except as follows:"      For Each Entry In IPSecurity.IPGrant           If InStr(1, Entry, "255.255.255.255") Then                Debug.Print vbTab & "Allowed IP: " & vbTab & vbTab & Replace(Entry, ", graphics/ccc.gif 255.255.255.255", "")           Else                Debug.Print vbTab & "Allowed Subnet: " & vbTab & Entry           End If      Next      For Each Entry In IPSecurity.DomainGrant           Debug.Print vbTab & "Allowed Domain: " & vbTab & Entry      Next End If 

Setting New IP Address Restrictions Using Visual Basic

To create a new IP address or DNS domain restriction programmatically, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant Dim IPAddress As String Dim IPSubnet As String Dim Domain As String Dim ActionType As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value IPAddress = "xxx.xxx.xxx.xxx" IPSubnet = "xxx.xxx.xxx.xxx" Domain = "DNS_Domain.Name" ActionType = "GRANTIP" 'ActionType = "GRANTSUBNET" 'ActionType = "GRANTDOMAIN" 'ActionType = "DENYIP" 'ActionType = "DENYSUBNET" 'ActionType = "DENYDOMAIN" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Select Case ActionType     Case "GRANTIP"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         Site.IPSecurity = IPSecurity         Site.SetInfo         IPSecurity.IPGrant = Array(IPAddress & ", 255.255.255.255")         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "GRANTSUBNET"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         IPSecurity.IPGrant = Array(IPAddress & ", " & IPSubnet)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "GRANTDOMAIN"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         IPSecurity.DomainGrant = Array(Domain)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYIP"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.IPDeny = Array(IPAddress & ", 255.255.255.255")         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYSUBNET"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.IPDeny = Array(IPAddress & ", " & IPSubnet)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYDOMAIN"         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.DomainDeny = Array(Domain)         Site.IPSecurity = IPSecurity         Site.SetInfo End Select 

Note

To set a new IP address restriction, simply uncomment the desired ActionType variable assignment and verify that all associated variables have been assigned .



   
Top


Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net