How can we ensure that ONLY people who are part of the ExecutiveWeb group can load ASPX pages from /DotNet/Executive folder when prompted via Basic Authentication?
This is an INTRANET site being migrated from a 2003 server to 2012 R2
It is 99% working properly - but one security piece is not
The site contains a mixture of classic ASP and ASP.net pages
This question is specific to the ASP.net portion of the site
Application Pool runs under a domain user account (e.g. CorpWebID)
The CLR is .NET 4.0
DotNet folder is an application housing all aspx files
Under DotNet folder, there is a folder called Executive with restricted access pages - entire Executive folder is locked by custom ACL (e.g. domain users group removed)
Example directory structure is as follows:
- DotNet Folder (the Application folder - contains all the aspx files)
--Executive Folder (locked down by ACL - group membership)
Entire site uses SSL (again this is internal only)
Anonymous authentication is disabled on the /DotNet/Executive folder - only thing enabled is "Basic Authentication" to force logon
The Executive folder is locked down by ACL so only people in a "ExecutiveWeb" AD group should be able to access files
The CorpWebID is also on the Executive folder's ACL list - we found it doesn't work properly otherwise because Application Pool's Identity ID is CorpWebID. No one authenticates with this ID - it is basically a service account.
Access to the executive folder's pages is largely handled via a main menu that is classic ASP (executivemenu.asp) and hyperlinks for executive ASP.net pages point to the /DotNet/Executive folder.
When prompted to log into the ExecutiveMenu - if you are not in the ExecutiveWeb group - it stops you like it should. Most people would back off if they fail authentication for the ExecutiveMenu.asp page.
However, internal testing prior to migration has detected that if someone were to type in the exact URL of a page under /DotNet/Executive - for example, executivestats.aspx - they get prompted for authentication - and as long as they type in ANY valid domain user ID and password - the page loads.
This is a problem - I know the Application Pool works under the identity ID which has been specified in settings (e.g. CorpWebID), and that is likely why the page can load. However, I don't understand why it gets this far since the Basic Authentication of the page should determine that the random domain user we are authenticating with as a test does NOT have ACL permissions to ExecutiveStats.aspx because his ID is not in the ExecutiveWeb group.