|
Posted by Steve Riley [MSFT] on May 4, 2008, 11:03 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Clear-text account credentials are as risky as using IP addresses for
authentication purposes. IP addresses are _also_ sent in the clear, and can
be intercepted and spoofed _in exactly the same way_ as clear-text
credentials.
Firewalls like ISA Server allow you to write user-aware rules. Credentials
are never passed between the client and ISA Server in clear-text -- it's
standard Winlogon.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
>> No - for the same reasons. Why do you need extravagant
>> authentication-like schemes when many proper ways of authentication are
>> available?
>>
>> If you just need to allow certain IPs to access the Web site, just
>> configure restrictions and use anonymous access.
>>
>
>
> Hi Slav,
>
> As I read the poster, allowing anonymous access but gating it
> based on origin IP, as you suggest, _is_ precisely what poster
> was talking about doing.
> As far as I can see, that is safer (less likely breached) than using
> account based authentication with the creds passing in the clear.
>
> Roger
>
>>
>>> Most of my users are behind their company's firewall. If I keep a
>>> database of firewall ip-numbers and check incoming requests against the
>>> database, wouldn't that be an ok solution?
>>> Steve Riley [MSFT] wrote:
>>>> Wrong approach. IP addresses identify machines, not humans. They are
>>>> easily spoofable, since they are always clear-text and are always
>>>> unauthenticated. Plus, with your approach, authorized users will be
>>>> tied to specific machines--they won't be able to access their
>>>> information from other computers.
>>>>
>>>> User ID/password pairs are specifically designed for the scenario
>>>> you've described. Please use them.
>>>>
>>
>>
>
>
| 
XML site map