Solved

Spoofing LOGON_USER & AUTH_USER

Posted on 2008-10-31
14
1,573 Views
Last Modified: 2013-11-05
I I have a web application with IIS set to anonymous access and Integrated Windows Authentication switched on  - this is an intranet app.

Once people have hit the site I want to be able to give them customised content according to who they are using possibly Request.ServerVariables("LOGON_USER") And Request.ServerVariables("AUTH_USER").  I plan to use these to identify who they are and then deliver customised content.

I am worried about these being spoofed though eg:

telnet localhost 80

GET /default.asp HTTP/1.1
host: localhost
LOGON_USER: MySpoofedName

Obviously the above telnet example won't work as it won't get authenticated but you see my general concern.

Any thoughts or comments on this?
0
Comment
Question by:daveamour
  • 7
  • 5
  • 2
14 Comments
 
LVL 27

Assisted Solution

by:BigRat
BigRat earned 50 total points
ID: 22849269
All Basic Authentication methods are open to spoofing, since the name (however encoded) comes through on every request. You can make this somewhat harder by using https, which is a simply switch in IIS.
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849313
I was hoping that when Integrated is used then the Request.Servervariables would be populated in a more secure way rather than just from http headers.  Is this not the case?
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849611
I've just tried this with a site using Integrated and intercepting the http request using Fiddler.  I then tinkered with the headers to add LOGON_USER & AUTH_USER and then Response.Writing these out on the Asp page but they could not be spoofed.  Interestingly though this approach does work with Integrated turned off and in fact my earlier telnet example then works.

Maybe I am right about how the ServerVariables are populated when Integrated is turned on.  Any thoughts?
0
 
LVL 8

Expert Comment

by:saoirse1916
ID: 22849623
Are you sure that you need anonymous access turned on?  If it's an intranet, I'd assume that everyone is connecting either through the local LAN or through a VPN, neither of which depend on IIS's anonymous account.  That would cut down your security risks right there.
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849639
My apologies - I meant to say that anonymous access should be turned off  - bad typing sorry!
0
 
LVL 8

Accepted Solution

by:
saoirse1916 earned 200 total points
ID: 22849640
And yes, you're right about AUTH_USER and Integrated Windows Authentication -- that's coming from Active Directory and not from a web form, querystring, or some other "spoofable" means of delivery.
0
 
LVL 8

Expert Comment

by:saoirse1916
ID: 22849647
The only way that I've ever heard that someone can get unauthorized access would be if they had rights to create a new Active Directory account.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 19

Author Comment

by:daveamour
ID: 22849665
Ok cool so then in summary as long as you have anonymous access off and Integrated on then it is safe to provide customised content based on Request.Servervariables("AUTH_USER")  - obviously if the cusomtised content is really sensitive then it all go over SSL anyway.

Would you agree with this then?

BigRate - Apologies again for my typo in saying that anonymous was on!
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849704
Sorry can I just ask one more thing

If IIS were t be setup with anonymous access enabled but Integrated ticked as well then how would that work?  Would the AD username be sent plain text in http headers where possible and all other users given anonymous access?

Thanks
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849721
Actually I suppose in that case Integrated would work where possible and seamless in its normal encrpyed way but then anonymous access would be granted otherwise.   Does this sound right?

Thanks
0
 
LVL 8

Assisted Solution

by:saoirse1916
saoirse1916 earned 200 total points
ID: 22849735
Yes, you should have no problems with your current setup using AUTH_USER.  I've built my company's intranet in the exact same fashion and have tested a number of common entry attacks from outside the network and have yet to find a way in.

I actually have no idea how it would work with anonymous access turned on as I've never built a site with that configuration -- but I'd assume it would prompt for a username/password which would be sent in plain text if you were attempting to connect from a non-Active Directory machine.
0
 
LVL 19

Author Closing Comment

by:daveamour
ID: 31512001
Thanks both of you, I feel I can sleep better now!
0
 
LVL 27

Expert Comment

by:BigRat
ID: 22850099
daveamour: ASP supports anonymous, basic and WindowsNT challenge/Response aiuthentication methods. All three are variations of Basic Authentication, in that username and password are transmitted by the browser on each request. How this information is validated - password file to LDAP - makes no difference. Fundamentally they are all open to password cracking attempts by brute force.
   Your worry, about having the spoofer using the logon name is not justified since he must also know the password. Basic Authentication over http has the problem that the password can be simply cracked by any listener. Running over https is far, far more secure.

saoirse1916: In Basic Authentication the username/password is encoded in base64, which is dead easy to decode. In Challenge/Response (also known as NTLM, but AFAIK is still only supported by IE and has problems with ProxyServers) uses MD5 and is very difficult to crack.
0
 
LVL 8

Expert Comment

by:saoirse1916
ID: 22850147
BigRat: Yes, my use of plain text wasn't technically accurate but as you mentioned with reference to security, base64 may as well be plain text.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now