[an error occurred while processing the directive]

	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IISCosign - one physical server more than 1 cosign-service possible?

To: "Konstantin Voyk" <kvoyk@xxxxxxxxx>, "Asfaw-Kirby, Elias" <eliasak@xxxxxxxxx>, <cosign-discuss@xxxxxxxxx>
Subject: RE: IISCosign - one physical server more than 1 cosign-service possible?
From: "Townsend, Paul" <townsend@xxxxxxxxxxxxx>
Date: Fri, 12 Aug 2005 14:03:42 -0400
Thread-index: AcWfY5ddXDAFu91jTaGU3KRG5pOrQQAAJMFgAACjvnA=
Thread-topic: IISCosign - one physical server more than 1 cosign-service possible?

Do NOT use the website="ws1.umich.edu" syntax.
 
Use the IISDescription="ws1" syntax instead. i.e. 
<Service IISDescription="ws1"> 
 
Reason? Anybody can put your server's ip address into their hosts file
and hit your site using a different dns.  If you use the website=""
syntax, the cosign filter won't recognize that  user-created dns, the
request sails right through, and the user is in.  BIG BIG security hole.
 
IIRC, the website="" syntax was supposed to be deprecated.  If you're
still using it, you should change it immediately.  Your site is
completely open to anybody who knows how to use a hosts file, or who
hits your server using the ip address.
 
The rest of what you say is correct.  Make sure you're using a recent
version of IIS cosign, since early versions didn't play nice with W2k3 &
multiple sites.  Long since fixed.
 
-Paul Townsend
Systems Analyst
Ross School of Business

________________________________

From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx] 
Sent: Friday, August 12, 2005 1:45 PM
To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?



Elias,

1. Apply cosign filter at 'Web Sites' level (where your multiple
websites are listed)

2. Modify your config file to protect multiple web sites

      <Service website=" ws1.umich.edu ">cosign-SERVICE1

            <Protected>/ </Protected>

      </Service>

      <Service website=" ws2.umich.edu ">cosign- SERVICE2

            <Protected>/application1/page1.aspx</Protected>

            <Protected>/application2/page2.aspx</Protected>

      </Service>

Konstantin.

 

 

________________________________

From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx] 
Sent: Friday, August 12, 2005 1:28 PM
To: cosign-discuss@xxxxxxxxx
Subject: IISCosign - one physical server more than 1 cosign-service
possible?

 


 Is it possible to have more than one cosign service running off one
physical server using IIS Cosign.
(OS - Windows Server 2003)

Ex.
 Currently hosting website  ws1.umich.edu on iisserver.umich.edu and
cosign works great.
Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
cosign there also.

Thanks Team,
-- 
Elias Asfaw-Kirby | 734-615-6490
Web Developer     | eliasak@xxxxxxxxx

Prev by Date: Re: IISCosign - one physical server more than 1 cosign-service possible?
Next by Date: Re: Where does cosign write its log(s)? <EOM>
Previous by thread: RE: IISCosign - one physical server more than 1 cosign-service possible?
Next by thread: RE: IISCosign - one physical server more than 1 cosign-service possible?
Index(es):
- Date
- Thread

[an error occurred while processing the directive]