 |
cosign-discuss at umich.edu
|
|
general discussion of cosign development and deployment
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IISCosign - one physical server more than 1 cosign-service possible?
- To: "Konstantin Voyk" <kvoyk@xxxxxxxxx>, "Asfaw-Kirby, Elias" <eliasak@xxxxxxxxx>, <cosign-discuss@xxxxxxxxx>
- Subject: RE: IISCosign - one physical server more than 1 cosign-service possible?
- From: "Townsend, Paul" <townsend@xxxxxxxxxxxxx>
- Date: Fri, 12 Aug 2005 14:03:42 -0400
- Thread-index: AcWfY5ddXDAFu91jTaGU3KRG5pOrQQAAJMFgAACjvnA=
- Thread-topic: IISCosign - one physical server more than 1 cosign-service possible?
Do NOT use the website="ws1.umich.edu" syntax.
Use the IISDescription="ws1" syntax instead. i.e.
<Service IISDescription="ws1">
Reason? Anybody can put your server's ip address into their hosts file
and hit your site using a different dns. If you use the website=""
syntax, the cosign filter won't recognize that user-created dns, the
request sails right through, and the user is in. BIG BIG security hole.
IIRC, the website="" syntax was supposed to be deprecated. If you're
still using it, you should change it immediately. Your site is
completely open to anybody who knows how to use a hosts file, or who
hits your server using the ip address.
The rest of what you say is correct. Make sure you're using a recent
version of IIS cosign, since early versions didn't play nice with W2k3 &
multiple sites. Long since fixed.
-Paul Townsend
Systems Analyst
Ross School of Business
________________________________
From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:45 PM
To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?
Elias,
1. Apply cosign filter at 'Web Sites' level (where your multiple
websites are listed)
2. Modify your config file to protect multiple web sites
<Service website=" ws1.umich.edu ">cosign-SERVICE1
<Protected>/ </Protected>
</Service>
<Service website=" ws2.umich.edu ">cosign- SERVICE2
<Protected>/application1/page1.aspx</Protected>
<Protected>/application2/page2.aspx</Protected>
</Service>
Konstantin.
________________________________
From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:28 PM
To: cosign-discuss@xxxxxxxxx
Subject: IISCosign - one physical server more than 1 cosign-service
possible?
Is it possible to have more than one cosign service running off one
physical server using IIS Cosign.
(OS - Windows Server 2003)
Ex.
Currently hosting website ws1.umich.edu on iisserver.umich.edu and
cosign works great.
Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
cosign there also.
Thanks Team,
--
Elias Asfaw-Kirby | 734-615-6490
Web Developer | eliasak@xxxxxxxxx
| 
