Solved

Spoofing LOGON_USER & AUTH_USER

Posted on 2008-10-31
14
1,594 Views
Last Modified: 2013-11-05
I I have a web application with IIS set to anonymous access and Integrated Windows Authentication switched on  - this is an intranet app.

Once people have hit the site I want to be able to give them customised content according to who they are using possibly Request.ServerVariables("LOGON_USER") And Request.ServerVariables("AUTH_USER").  I plan to use these to identify who they are and then deliver customised content.

I am worried about these being spoofed though eg:

telnet localhost 80

GET /default.asp HTTP/1.1
host: localhost
LOGON_USER: MySpoofedName

Obviously the above telnet example won't work as it won't get authenticated but you see my general concern.

Any thoughts or comments on this?
0
Comment
Question by:daveamour
  • 7
  • 5
  • 2
14 Comments
 
LVL 27

Assisted Solution

by:BigRat
BigRat earned 50 total points
ID: 22849269
All Basic Authentication methods are open to spoofing, since the name (however encoded) comes through on every request. You can make this somewhat harder by using https, which is a simply switch in IIS.
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849313
I was hoping that when Integrated is used then the Request.Servervariables would be populated in a more secure way rather than just from http headers.  Is this not the case?
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849611
I've just tried this with a site using Integrated and intercepting the http request using Fiddler.  I then tinkered with the headers to add LOGON_USER & AUTH_USER and then Response.Writing these out on the Asp page but they could not be spoofed.  Interestingly though this approach does work with Integrated turned off and in fact my earlier telnet example then works.

Maybe I am right about how the ServerVariables are populated when Integrated is turned on.  Any thoughts?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 8

Expert Comment

by:saoirse1916
ID: 22849623
Are you sure that you need anonymous access turned on?  If it's an intranet, I'd assume that everyone is connecting either through the local LAN or through a VPN, neither of which depend on IIS's anonymous account.  That would cut down your security risks right there.
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849639
My apologies - I meant to say that anonymous access should be turned off  - bad typing sorry!
0
 
LVL 8

Accepted Solution

by:
saoirse1916 earned 200 total points
ID: 22849640
And yes, you're right about AUTH_USER and Integrated Windows Authentication -- that's coming from Active Directory and not from a web form, querystring, or some other "spoofable" means of delivery.
0
 
LVL 8

Expert Comment

by:saoirse1916
ID: 22849647
The only way that I've ever heard that someone can get unauthorized access would be if they had rights to create a new Active Directory account.
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849665
Ok cool so then in summary as long as you have anonymous access off and Integrated on then it is safe to provide customised content based on Request.Servervariables("AUTH_USER")  - obviously if the cusomtised content is really sensitive then it all go over SSL anyway.

Would you agree with this then?

BigRate - Apologies again for my typo in saying that anonymous was on!
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849704
Sorry can I just ask one more thing

If IIS were t be setup with anonymous access enabled but Integrated ticked as well then how would that work?  Would the AD username be sent plain text in http headers where possible and all other users given anonymous access?

Thanks
0
 
LVL 19

Author Comment

by:daveamour
ID: 22849721
Actually I suppose in that case Integrated would work where possible and seamless in its normal encrpyed way but then anonymous access would be granted otherwise.   Does this sound right?

Thanks
0
 
LVL 8

Assisted Solution

by:saoirse1916
saoirse1916 earned 200 total points
ID: 22849735
Yes, you should have no problems with your current setup using AUTH_USER.  I've built my company's intranet in the exact same fashion and have tested a number of common entry attacks from outside the network and have yet to find a way in.

I actually have no idea how it would work with anonymous access turned on as I've never built a site with that configuration -- but I'd assume it would prompt for a username/password which would be sent in plain text if you were attempting to connect from a non-Active Directory machine.
0
 
LVL 19

Author Closing Comment

by:daveamour
ID: 31512001
Thanks both of you, I feel I can sleep better now!
0
 
LVL 27

Expert Comment

by:BigRat
ID: 22850099
daveamour: ASP supports anonymous, basic and WindowsNT challenge/Response aiuthentication methods. All three are variations of Basic Authentication, in that username and password are transmitted by the browser on each request. How this information is validated - password file to LDAP - makes no difference. Fundamentally they are all open to password cracking attempts by brute force.
   Your worry, about having the spoofer using the logon name is not justified since he must also know the password. Basic Authentication over http has the problem that the password can be simply cracked by any listener. Running over https is far, far more secure.

saoirse1916: In Basic Authentication the username/password is encoded in base64, which is dead easy to decode. In Challenge/Response (also known as NTLM, but AFAIK is still only supported by IE and has problems with ProxyServers) uses MD5 and is very difficult to crack.
0
 
LVL 8

Expert Comment

by:saoirse1916
ID: 22850147
BigRat: Yes, my use of plain text wasn't technically accurate but as you mentioned with reference to security, base64 may as well be plain text.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASP Sessions Being Cleared/Modified 6 80
UTC (timezone) without using an API 16 46
jquery to restrict certain words from input in form 11 35
key press alert 2 19
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question