RE: IISCosign - one physical server more than 1 cosign-servicepossible?

["Konstantin Voyk" <kvoyk@xxxxxxxxx>]

Jarod,
I want you clarify some definition. When you say host name does it mean the
same as "Host Header value" in IIS manager? And is binding mean assigning
this host name to specific IP?
With this configuration what I described above cosign filter does not work.
Konstantin.


-----Original Message-----
From: jarod@xxxxxxxxx [mailto:jarod@xxxxxxxxx] 
Sent: Friday, August 12, 2005 3:19 PM
To: cosign-discuss@xxxxxxxxx
Cc: Konstantin Voyk; 'Townsend, Paul'; 'Asfaw-Kirby, Elias';
cosign@xxxxxxxxx; 'Lyle Whitney'
Subject: RE: IISCosign - one physical server more than 1
cosign-servicepossible?


If you are using the XML tag <Service website="host.institution.edu"> 
you should
also use the "Advanced Website Identification" settings in IIS Manager
(right-click on the web site, select Properties, then the Web Site tab, then
click on the Advanced... button) to locally 'bind' your hostname to your IP
address.  IIS does NOT do this automatically and, as Paul described, 
leads to a
major security hole.

If you are using <Service IISDescription="Web site name here"> then the
above
does not apply.

--Jarod

Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:

> Paul,
> Is adding host name to web site in IIS management console covers this
> security hole?
> Konstantin.
>
> -----Original Message-----
> From: Townsend, Paul [mailto:townsend@xxxxxxxxxxxxx]
> Sent: Friday, August 12, 2005 2:04 PM
> To: Konstantin Voyk; Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
> Subject: RE: IISCosign - one physical server more than 1 cosign-service
> possible?
>
>
> Do NOT use the website="ws1.umich.edu" syntax.
>
> Use the IISDescription="ws1" syntax instead. i.e.
> <Service IISDescription="ws1">
>
> Reason? Anybody can put your server's ip address into their hosts file
> and hit your site using a different dns.  If you use the website=""
> syntax, the cosign filter won't recognize that  user-created dns, the
> request sails right through, and the user is in.  BIG BIG security hole.
>
> IIRC, the website="" syntax was supposed to be deprecated.  If you're
> still using it, you should change it immediately.  Your site is
> completely open to anybody who knows how to use a hosts file, or who
> hits your server using the ip address.
>
> The rest of what you say is correct.  Make sure you're using a recent
> version of IIS cosign, since early versions didn't play nice with W2k3 &
> multiple sites.  Long since fixed.
>
> -Paul Townsend
> Systems Analyst
> Ross School of Business
>
> ________________________________
>
> From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx]
> Sent: Friday, August 12, 2005 1:45 PM
> To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
> Subject: RE: IISCosign - one physical server more than 1 cosign-service
> possible?
>
>
>
> Elias,
>
> 1. Apply cosign filter at 'Web Sites' level (where your multiple
> websites are listed)
>
> 2. Modify your config file to protect multiple web sites
>
>      <Service website=" ws1.umich.edu ">cosign-SERVICE1
>
>            <Protected>/ </Protected>
>
>      </Service>
>
>      <Service website=" ws2.umich.edu ">cosign- SERVICE2
>
>            <Protected>/application1/page1.aspx</Protected>
>
>            <Protected>/application2/page2.aspx</Protected>
>
>      </Service>
>
> Konstantin.
>
>
>
>
>
> ________________________________
>
> From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx]
> Sent: Friday, August 12, 2005 1:28 PM
> To: cosign-discuss@xxxxxxxxx
> Subject: IISCosign - one physical server more than 1 cosign-service
> possible?
>
>
>
>
> Is it possible to have more than one cosign service running off one
> physical server using IIS Cosign.
> (OS - Windows Server 2003)
>
> Ex.
> Currently hosting website  ws1.umich.edu on iisserver.umich.edu and
> cosign works great.
> Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
> cosign there also.
>
> Thanks Team,
> --
> Elias Asfaw-Kirby | 734-615-6490
> Web Developer     | eliasak@xxxxxxxxx
>
>
>
>
>
>