File security from web-apps with Forms security enabled?

I am developing a series of web-apps, in the process of converting older client-server FoxPro apps.  We are forced to use Forms-level security on our web-apps, due to licensing issues with providing Active Directory Windows-base security, and have adopted the ASP.NET 2.0 security schema.  However, I have ran into a problem because many of our applications use sensitive Word and Excel attachments to the plans we store in the SQL Server 2000 and 2005 databases.  Forms security adequately protects the web-site pages and the database data but when it comes to protecting access to attachment files, it appears we have none except on LAN via Windows AD.  How can provide AD-like file-level access protection within my web-apps?  


Ron K.
------------------------------------------
The difference between fiction and reality is that fiction has to be credible. -- Mark Twain
0
Ron
5/30/2008 1:46:30 PM
asp.net.security 27051 articles. 1 followers. Follow

3 Replies
1087 Views

Similar Articles

[PageSpeed] 55
Get it on Google Play
Get it on Apple App Store

Not sure if I understood this correctly. Have you tried creating ADgroups and adding users to the groups and giving file-level access to the ADgroups. In our AD environment AD groups define file/directory level access. The group policy refreshes every x interval. We have this detailed to AD groups with read access and AD groups with write access. You can use the same groups in your web-apps to keep the access levels in sync. 

HTH 

0
raghu1
5/30/2008 2:48:25 PM

I don't really understand it myself.  All I have ascertained is that we are using web-apps with Forms authentication and because of this our IIS servers are set to allow anonymous users (authenticated by forms against the ASP.NET 2.0 aspnetdb membership store).  I have also seen that file request via IIS browser URL's are not challenged in anyway supposedly due to this anonymous access.  I am not an expert in either Windows or Forms security, but I thought in order to use AD groups, one had to be using Windows authentication on the web-site.  


Ron K.
------------------------------------------
The difference between fiction and reality is that fiction has to be credible. -- Mark Twain
0
Ron
5/30/2008 3:40:38 PM

I would than suggest what suggested earlier. You might want to check with the Network-security group. Usually this requires educating users as why they cannot get the documents that were on the LAN. You might be in for a pleasant surprise about how many users love these shortcuts.Setting up AD groups and defining read/write access is straight forward. We had a little nightmare situation when the network group restricted access to certain folders as part of management decision and people lost their desktop shortcuts/mapped LAN folders...

0
raghu1
5/30/2008 4:29:37 PM
Reply:

Similar Artilces:

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Security Advice needed
Hi, I am writing a site where I would like users of the site to be charged to see some of the content - bespoke applications, word documents and such. However, Im not sure how to go about ensuring that files in certain directories in the application path cannot be accessed. I have written a login section using asp.net authentication, but this does not cover the instance of a user typing the absolute path of a file. For example typing http://www.webapplication1.com/files/paycontent/document1.doc in the browser would allow the user to download a file which I'd like to be kept un...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

A question about Web Service security / secured web service Testing
Hi, I created a web service and secure it using SoapExtention. I implemented code from this link. http://www.developer.com/net/net/article.php/11087_2192901_2 Now if I create proxy class from my other webapplication and call any webmethod of my webservice, I must provide username password to access any of its webmethod, otherwise it is throwing SOAP Exception which works fine. But now when I open this webservice locally using its URL, in Internet Explorer, like http://localhost/MyWebService/poservice.asmx, it shows me all webmethods and I can invoke any webmethod from here without using ...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Setting up secure and non secure webs
Using Apache 1.3 on NW sp4, We need our website so that there is a secure, password protected area as well. When, setting up the document folders, I have a volume called web. Do I create a separate root folder for the secure data, or can the directory be located under the public root folder? Darrell Darrell, > Do I create a separate root folder for the secure > data, or can the directory be located under the public root folder? > IIRC it can be either way. You then configure uthentication for that directory. - Anders Gustafsson, Engineer, CNE6, ASE NSC Volu...

Why System.Web.Security and not System.Security?
Hi!I was wondering... why is the Security namespace under the System.Web and not the System namespace? Almost all the features could also be used for Windows application and in fact work fine. If you create a Windows app and add a reference to the System.Web, you can use the Membership providers the same way with a web app, simply be adding some configuration settings in the app.config.So... Why System.Web.Security and not System.Security?Dimitris PapadimitriouSoftware Development Professional...

Could PB .NET Web Form POST security Information to others web page??
This is a multi-part message in MIME format. ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Hi,=20 Have anyone came across the requesion to POST security informations from = PB .NET web form web page to other web site?? I have tried many datys, Could any kind man give me some suggessions?? thanks & Best regards Leon ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML P...

Web resources about - File security from web-apps with Forms security enabled? - asp.net.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Chris Whipple on Spymasters and the ‘Sobering’ New Security Threats
It was wall-to-wall mavens, moguls and machers at Michael’s today. ‘Tis the season and all that. I was joined by media multi-hyphenate Chris ...

Panda Internet Security 2016: Good protection, small performance impact
We already know the importance of defending endpoints to keep business systems secure. The latest release of Panda Internet Security offers protection ...

Forecast 2016: Security takes center stage
When a high-profile cybersecurity attack occurs, like the ones at Target or Home Depot , Sam Redden knows to be ready. To read this article in ...

Shoplifting Suspects Back Into Kohl’s Security Guard, Customer’s Stroller
... parking lot and back out of their parking space, and did something that they probably didn’t intend: they backed the vehicle into a store security ...

El Capitan 10.11.2 update improves Mac stability and security
... for El Capitan since the desktop operating system was made public two months ago. OS X 10.11.2 brings with it a number of stability and security ...

Facebook's Security Check comes to Android
Facebook's account security feature, dubbed Security Check, landed on Android this Tuesday. It allows users to quickly review their current account ...

Resources last updated: 12/10/2015 12:13:42 AM