one of the big issues is that ntlm doesn't work through proxies.
Cheers, MH
Windows 2000 Security
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, November 12, 1999 9:33 AM
> To: [EMAIL PROTECTED]
> Subject: More of a security problem than a firewall problem...
>
>
> But I am hoping to get some good advice from the experts.
>
> I have a web application which is on a web server behind a
> NetScreen firewall.
> The application is running on IIS. It uses an Access
> database. Users can log
> in to the application (application level passwords stored in
> a table in the
> database) and run queries on the data. Their results are
> restricted to the
> users' data by virtue of the ID/password combination used to log in.
>
> We would now like to increase the security on the
> application, particularly by
> being able to monitor/log the users who are accessing the
> data. It would appear
> that we have two choices: creating individual NT user
> accounts on the web
> server and using NT C/R, or enabling validation on the
> firewall (which would
> also involve creating/maintaining user accounts).
>
> For purposes of security, my feeling is that we should go
> with validating at the
> firewall. The problem is, that would require two logins to reach the
> application, one at the firewall and one at the application
> level. We could
> probably use the same user ID/PWD combinations in both
> places, but that seems to
> defeat the purpose of the firewall (actually, these ID/PWD
> combinations can
> currently be used by multiple users, i.e., groups).
>
> Other issues aside, I feel that going the route of validating
> via NT at the web
> server would require the same amount of effort, but would
> result in additional
> exposure.
>
> The only 'mitigating' factor I can see here for using NT
> security is that we
> might in the future wish to provide additional
> applications/data via this
> server. In the case where the data being provided could be
> segregated by user
> group, we could then use NT authentication to allow access to
> specific data
> sets.
>
> A brief side question: Is there any real reason that
> application level security
> is significantly less secure than other forms of
> authentication, i.e., would we
> be just as well off if we validated the users to a database
> and made that
> database separate from the application data, perhaps even on
> another machine?
>
> Am I off base here?
>
> I apologize if I am wasting anyone's time here, but I will
> truly appreciate your
> input.
>
> Regards,
>
> Tom
> Web Developer, HealthFirst
> (212) 801-6214
> ==============================================
> The opinions contained herein are mine and mine alone. I am
> fortunate that
> HealthFirst allows me to express them to you, but they are
> not responsible for
> what I say.
> ==============================================
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
smime.p7s
