Programmatically Administering the Directory Security Property Sheet

   

Programmatically Administering the Directory Security Property Sheet

As shown in Figure 10.6, you can include or exclude specific sites based on IP address.

Figure 10.6. Default FTP Site Properties dialog box ”Directory Security tab.

graphics/10fig06.gif

If your organization has requirements for "Chinese Walls" ( mandated separation by regulatory agencies) between business units (as might be found between the Corporate Finance and Equities groups of an investment bank), you may want to prevent individual subnets or DNS domains from accessing specific resources on your intranet.

Although IP spoofing can compromise the effectiveness of such methods , implementing IP security can be an effective front line defense against access from an unauthorized IP address.

In a more common scenario, IP address restrictions are often imposed to ensure that development sites utilizing anonymous access are accessed only by developers. By simply inserting the IP addresses of the developer workstations into the list of machines granted access, the developers can transfer data between their client and the server with little fear that anyone else has access.

IP security requires construction of an array of IP addresses that are then consequently assigned to one of the properties of the IPSecurity object in Table 10.2.

Table 10.2. IPSecurity Properties
Property Description
IPGrant Array of IP Addresses granted access ”stored in variant array of strings in the format IPAddress, Subnet Mask
IPDeny Array of IP Addresses denied access ”stored in variant array of strings in the format IPAddress, Subnet Mask
DomainGrant Array of strings representing DNS domains granted access to resources
DomainDeny Array of strings representing DNS domains denied access to resources

Armed with the basic knowledge of the operations of the IPSecurity interface, you can now examine the code used to query and set new IP address restrictions.

Warning

The use of DNS domains for restricting access is not recommended because of the costly reverse DNS lookup that must take place for each request. Be sure to examine the performance of the site both before and after implementing such a restriction to ensure that performance is still reasonably acceptable.


Querying Current IP Address Restrictions Using Visual Basic

To find the current IP address and DNS domain restrictions effective for a particular site, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex&"/ROOT") Set IPSecurity = Site.IPSecurity If IPSecurity.GrantByDefault Then      Debug.Print "All addresses will be allowed, except as follows:"      For Each Entry In IPSecurity.IPDeny           If InStr(1, Entry, "255.255.255.255") Then                Debug.Print vbTab&"Denied IP: "&vbTab&vbTab&Replace(Entry, , graphics/ccc.gif 255.255.255.255", ")           Else                Debug.Print vbTab&"Denied Subnet: "&vbTab&Entry           End If      Next      For Each Entry In IPSecurity.DomainDeny           Debug.Print vbTab&"Denied Domain: "&vbTab&Entry      Next Else      Debug.Print "All addresses will be blocked, except as follows:"      For Each Entry In IPSecurity.IPGrant           If InStr(1, Entry, "255.255.255.255") Then                Debug.Print vbTab&"Allowed IP: "&vbTab&vbTab& Replace(Entry, ", graphics/ccc.gif 255.255.255.255", ")           Else                Debug.Print vbTab&"Allowed Subnet: "&vbTab&Entry           End If      Next      For Each Entry In IPSecurity.DomainGrant           Debug.Print vbTab&"Allowed Domain: "&vbTab&Entry      Next End If 

Setting New IP Address Restrictions Using Visual Basic

To create a new IP address or DNS domain restriction programmatically, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant Dim IPAddress As String Dim IPSubnet As String Dim Domain As String Dim ActionType As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value IPAddress = "xxx.xxx.xxx.xxx" IPSubnet = "xxx.xxx.xxx.xxx" Domain = "DNS_Domain.Name" ActionType = "GRANTIP" 'ActionType = "GRANTSUBNET" 'ActionType = "GRANTDOMAIN" 'ActionType = "DENYIP" 'ActionType = "DENYSUBNET" 'ActionType = "DENYDOMAIN" Select Case ActionType     Case "GRANTIP"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         Site.IPSecurity = IPSecurity         Site.SetInfo         IPSecurity.IPGrant = Array(IPAddress&", 255.255.255.255")         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "GRANTSUBNET"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         IPSecurity.IPGrant = Array(IPAddress&", "&IPSubnet)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "GRANTDOMAIN"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = False         IPSecurity.DomainGrant = Array(Domain)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYIP"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.IPDeny = Array(IPAddress&", 255.255.255.255")         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYSUBNET"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.IPDeny = Array(IPAddress&", "&IPSubnet)         Site.IPSecurity = IPSecurity         Site.SetInfo     Case "DENYDOMAIN"         Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex& "/ROOT")         Set IPSecurity = Site.IPSecurity         IPSecurity.GrantByDefault = True         IPSecurity.DomainDeny = Array(Domain)         Site.IPSecurity = IPSecurity         Site.SetInfo End Select 

Note

To set a new IP address restriction, simply uncomment the desired ActionType variable assignment and verify that all associated variables have been assigned .



   
Top


Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net