Solved

What authentication method to use?

Posted on 2000-04-19
6
267 Views
Last Modified: 2012-05-05
I am a newbie web developer.  I am embarking on my 1st major web site development.  This site needs user authentication to access SQL Server data (raw data to html and also Crystal Reports web interface info).  I will be using Frontpage/Visual Interdev, IIS, Windows NT, ASP, etc.  I am trying to determine which authentication method I should use, why, and what are the advantages/disadvantage to whatever method you would recommend.  This site will be used to update vendor information and to provide data to our customers.  This will be hosted at an ISP and we will update SQL nightly.  I have heard of NT authentication and authentication based on usernames/passwords stored in a database.  Security is important but this isn't ultra-critical info.  I am really clueless when it comes to the whole realm of authentication.  Some suggestions as to the best method, pointers, authentication samples, links, whatever...would be helpful.  I appreciate whatever help anyone could offer.
0
Comment
Question by:vfafel
6 Comments
 

Expert Comment

by:GMCarr
Comment Utility
Hello:

It all depends on how sensitive the data is that your Web site visitors are receiving and sending to your SQL server.  Purchasing a certificate provider like Verisign is the type of action that most sites employ.  The user will require a 128-bit browser and a userid/password.  This will work if you are setting up a secure server (https).

You could also create your own certificates, an option that the Microsoft IIS server has.  We have a developer on site here that used that method as opposed to purchasing certificate authority products like Verisign or Thawte.

But is the purpose is just to have a record of who accesses your server, but the data is not sensitive or confidential, then the userid/password would be fine.

Hope this helps, good luck!

0
 

Expert Comment

by:scooterhead
Comment Utility
I apologize but my abilities are not to the point where i even understand your response.  Could you back up a little and help me with the basics.  I am looking to allow web site functionality based on a successful authentication (update customer information, pull data from the sql server, etc.)  Can you help me with the basics?
0
 
LVL 1

Expert Comment

by:noonie072398
Comment Utility
Greetings vfafel,

This is question begs another "Just what, exactly, are you trying to achieve and what are the risks if your security model fails and the wrong person gets access to your data?"

Just a little basic background for you to consider.

NT security requires every user to have a username/password on the system. When an internet visitor accesses your website through IIS your web server acts for that visitor using a username/password created by IIS for that purpose. In fact (in this case) every internet visitor gets the same username/password identity.

That IIS identity has certain permissions granted to it so that the web server can do its job. These permissions are usually restricted to files and folders within the web site.

If you don't want to "muck around" with creating users and modifying NT file & folder permissions then IMHO your best bet is to use an authentication system based upon a log-on .asp connected to some database of users. (There are plenty of examples of this type of system available around the asp resource sites on the 'net)

Remember that access to your database by visitors from the internet is also granted through a similar username/password identity scheme for SQL Server. Normally these identities are created at install-time and it all functions pretty-much invisibly :^

If you need to make use of NT file and folder level security then you will need to consider creating NT users and modifying the permissions in both IIS Manager and your NT file system. As you said that the site will be hosted by an ISP then you may not get access to this level of security as it has been my experience that Hosting ISP's are a littl bit sensitive to letting someone modify their servers at that level.

Hope this helps.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Accepted Solution

by:
tcurtin earned 100 total points
Comment Utility
If you are using NT4 with IIS4 and if this is an Intranet: 1)you can set security permissions at the web site folder through NT Permissions. 2)You should also goto Start/Programs/Window NT4 Option Pack/Internet Information Server and select your site. Right-click and goto properties. Select 'Directory Security' and add remove 'Allow Anonymous Access'. That is the IUSR_<Machine>' account. The calling user will get denied and IE or Netscape will generate a logon back to the user and attempt to login again. Users will also need to be set up in SQL Server.
0
 

Expert Comment

by:scooterhead
Comment Utility
Thank you noonie...very helpful...a few follow-ups...
1.  what does IMHO stand for?

2.  IMHO seems to be the better alternative for me...are there any obvious problems with the following scenario:
    a.  an ASP login screen to initialize authentication

    b.  all pages designed to enter orders and retrieve data can utilize the authentication information to append and update info on my "DSN" referenced database (and access to certain data retrieval pages which query SQL data based on the login username and ID).

    c.  Am i correct in assuming that by using IMHO, the security is handled by the ASP authentication and a "guest" account is used by the IIS to access the SQL server database?

A technical question - does each protected page have to have a reference indicating whether a successful login was acheived...i have seen some references but am not real clear....

Thank you for your help...
0
 
LVL 1

Expert Comment

by:noonie072398
Comment Utility
1. IMHO (in my humble opinion)

2. a. This method is used widely. If the username/password is sensitive you can add an extra level of security using SSL, if your Hosting ISP provides that service and the cost of a certificate is within your project budget.

   b. You can place information relating to a successful log-in (or not) within the session object or you can use cookies.

   c. You assume correctly.

To do it correctly you should have a test on each page as to the log-in status (b) and redirect to the log-in page if the test fails. I also implement a system of recording all log-in attempts to an audit table.

In practice it all depends upon the level of security you need, the time you have to do it in and the risks involved if your security is breached.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Accessibility and Usability are two concepts that seem to be closely related.  But, too many people seem to have a distorted perception of them. During last five years, those two words have come to the day-to-day work of almost every web develope…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to count occurrences of each item in an array.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now