Let only regional clients connect to my 'reset password' site ?



Magoo
07-09-2005, 11:51 PM
Imagine I want to make an URL available on the Internet, published via ISA
2004 where my K-12 students can confirm identity based on pre-defined
'secret' questions and answers' and upon a match request a password reset in
their respective Windows AD account in my school domain.

Question is this, would be viable, secure and a good idea restrict this
range of IP addresses and let only IP addresses in the range, of let's say,
Seattle, WA connect ? I mean, I have no benefit on making such URL
available for people in China or California. Only local people here in the
area should connect.
Or perhaps I could use of the features of ISA 2004 to let me control this ?
Please advise.

Roger Abell
07-09-2005, 11:51 PM
Well, there really is of course no such thing as the range of
IPs that are in use in, say, Seattle. There are many subnets
that today add up to that, but tomorrow it very well may be
different.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Magoo" <nospammagoo@hotmail.com> wrote in message
news:%23auEtYrVFHA.3152@TK2MSFTNGP12.phx.gbl...
> Imagine I want to make an URL available on the Internet, published via ISA
> 2004 where my K-12 students can confirm identity based on pre-defined
> 'secret' questions and answers' and upon a match request a password reset
in
> their respective Windows AD account in my school domain.
>
> Question is this, would be viable, secure and a good idea restrict this
> range of IP addresses and let only IP addresses in the range, of let's
say,
> Seattle, WA connect ? I mean, I have no benefit on making such URL
> available for people in China or California. Only local people here in the
> area should connect.
> Or perhaps I could use of the features of ISA 2004 to let me control this
?
> Please advise.
>
>
>

Phillip Windell
07-09-2005, 11:51 PM
The answer to just about everything here is "NO" for the most part.

A URL isn't going to do that no matter who many questions they answer. A
very complex ASP or ASP.Net driven website *might* if a very skilled
developer were to create one.

It would *not* be on the Internet because the webserver hosting the Site
would require direct access to your Domain Controller to be able to make the
password change.

Since the Site would be internal on your LAN, the users would never go
through the ISA to get there and ISA would be irrelevant to the whole idea.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Magoo" <nospammagoo@hotmail.com> wrote in message
news:%23auEtYrVFHA.3152@TK2MSFTNGP12.phx.gbl...
> Imagine I want to make an URL available on the Internet, published via ISA
> 2004 where my K-12 students can confirm identity based on pre-defined
> 'secret' questions and answers' and upon a match request a password reset
in
> their respective Windows AD account in my school domain.
>
> Question is this, would be viable, secure and a good idea restrict this
> range of IP addresses and let only IP addresses in the range, of let's
say,
> Seattle, WA connect ? I mean, I have no benefit on making such URL
> available for people in China or California. Only local people here in the
> area should connect.
> Or perhaps I could use of the features of ISA 2004 to let me control this
?
> Please advise.
>
>
>

Magoo
07-09-2005, 11:51 PM
Hey Philip, I meant I would publish the URL that is actually an ASP.NET to
users that attempt to access such ResertPassword URL from the Internet.

I think that restricting based on IP address/subnet would be not feasible or
accurate, but I see that if I create a rule on ISA and let only my "Student"
group able to access such ASP.NET form, can you anyone tell me why this
security wise would be a problem ? Perhaps I am wrong, but in my lab here it
appears that I would need to put a RADIUS server in place to let the ISA
check whether AD user is member of such "student" group ?

"Phillip Windell" <@.> wrote in message
news:ONxh37xVFHA.1152@tk2msftngp13.phx.gbl...
> The answer to just about everything here is "NO" for the most part.
>
> A URL isn't going to do that no matter who many questions they answer. A
> very complex ASP or ASP.Net driven website *might* if a very skilled
> developer were to create one.
>
> It would *not* be on the Internet because the webserver hosting the Site
> would require direct access to your Domain Controller to be able to make
the
> password change.
>
> Since the Site would be internal on your LAN, the users would never go
> through the ISA to get there and ISA would be irrelevant to the whole
idea.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Magoo" <nospammagoo@hotmail.com> wrote in message
> news:%23auEtYrVFHA.3152@TK2MSFTNGP12.phx.gbl...
> > Imagine I want to make an URL available on the Internet, published via
ISA
> > 2004 where my K-12 students can confirm identity based on pre-defined
> > 'secret' questions and answers' and upon a match request a password
reset
> in
> > their respective Windows AD account in my school domain.
> >
> > Question is this, would be viable, secure and a good idea restrict this
> > range of IP addresses and let only IP addresses in the range, of let's
> say,
> > Seattle, WA connect ? I mean, I have no benefit on making such URL
> > available for people in China or California. Only local people here in
the
> > area should connect.
> > Or perhaps I could use of the features of ISA 2004 to let me control
this
> ?
> > Please advise.
> >
> >
> >
>
>

Roger Abell
07-09-2005, 11:51 PM
But then you have a catch-22 scenario.
ISA will let them through if they authenticate so they can be
identified; but, what you want to let them get to is a facility
to reset their forgotten password.

--
Roger
"Magoo" <magoo-nospam@hotmail.com> wrote in message
news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> Hey Philip, I meant I would publish the URL that is actually an ASP.NET to
> users that attempt to access such ResertPassword URL from the Internet.
>
> I think that restricting based on IP address/subnet would be not feasible
or
> accurate, but I see that if I create a rule on ISA and let only my
"Student"
> group able to access such ASP.NET form, can you anyone tell me why this
> security wise would be a problem ? Perhaps I am wrong, but in my lab here
it
> appears that I would need to put a RADIUS server in place to let the ISA
> check whether AD user is member of such "student" group ?
>
> "Phillip Windell" <@.> wrote in message
> news:ONxh37xVFHA.1152@tk2msftngp13.phx.gbl...
> > The answer to just about everything here is "NO" for the most part.
> >
> > A URL isn't going to do that no matter who many questions they answer.
A
> > very complex ASP or ASP.Net driven website *might* if a very skilled
> > developer were to create one.
> >
> > It would *not* be on the Internet because the webserver hosting the Site
> > would require direct access to your Domain Controller to be able to make
> the
> > password change.
> >
> > Since the Site would be internal on your LAN, the users would never go
> > through the ISA to get there and ISA would be irrelevant to the whole
> idea.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> > "Magoo" <nospammagoo@hotmail.com> wrote in message
> > news:%23auEtYrVFHA.3152@TK2MSFTNGP12.phx.gbl...
> > > Imagine I want to make an URL available on the Internet, published via
> ISA
> > > 2004 where my K-12 students can confirm identity based on pre-defined
> > > 'secret' questions and answers' and upon a match request a password
> reset
> > in
> > > their respective Windows AD account in my school domain.
> > >
> > > Question is this, would be viable, secure and a good idea restrict
this
> > > range of IP addresses and let only IP addresses in the range, of let's
> > say,
> > > Seattle, WA connect ? I mean, I have no benefit on making such URL
> > > available for people in China or California. Only local people here in
> the
> > > area should connect.
> > > Or perhaps I could use of the features of ISA 2004 to let me control
> this
> > ?
> > > Please advise.
> > >
> > >
> > >
> >
> >
>
>

Phillip Windell
07-09-2005, 11:51 PM
"Magoo" <magoo-nospam@hotmail.com> wrote in message
news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> Hey Philip, I meant I would publish the URL that is actually an ASP.NET to
> users that attempt to access such ResertPassword URL from the Internet.

OK, I see. Well, consider Robert's comment. I think it is the "stake
through the heart" that kills the whole idea of what you want to do. And
you can't very well allow it anonymously because anybody could reset
anybody's password.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Roger Abell
07-09-2005, 11:51 PM
"Phillip Windell" <@.> wrote in message
news:%23b$Uja8VFHA.3152@TK2MSFTNGP12.phx.gbl...
> "Magoo" <magoo-nospam@hotmail.com> wrote in message
> news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> > Hey Philip, I meant I would publish the URL that is actually an ASP.NET
to
> > users that attempt to access such ResertPassword URL from the Internet.
>
> OK, I see. Well, consider Robert's comment. I think it is the "stake

ummm, it's Roger not Robert, Phillip, or did I miss some post to this
thread ?? (just thought I would point it out this time)

--
Roger

> through the heart" that kills the whole idea of what you want to do. And
> you can't very well allow it anonymously because anybody could reset
> anybody's password.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

Magoo
07-09-2005, 11:51 PM
Well, I see I can't use the "restrict based on groups" because correct,
users would know their usernames, but not their passwords so therefore
nobody would get authenticated thru ISA-RADIUS.
Regarding publishing on the Internet and give anonymous access to everyone
in the world, darn, that's what we do with OWA links and VPN, isn't it ? I
figure that if I can expose my OWA link and VPN to the world, I am curious
to analyze this and see why publishing a reset password for students URL
would be a bad idea. Just thinking...


"Phillip Windell" <@.> wrote in message
news:%23b$Uja8VFHA.3152@TK2MSFTNGP12.phx.gbl...
> "Magoo" <magoo-nospam@hotmail.com> wrote in message
> news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Hey Philip, I meant I would publish the URL that is actually an ASP.NET
>> to
>> users that attempt to access such ResertPassword URL from the Internet.
>
> OK, I see. Well, consider Robert's comment. I think it is the "stake
> through the heart" that kills the whole idea of what you want to do. And
> you can't very well allow it anonymously because anybody could reset
> anybody's password.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

Roger Abell
07-09-2005, 11:51 PM
Sure, and I have no choice but to make FrontPage based authoring
on IIS webs visible to the world. That does not stop the occassional
pest from repeatedly attempting to find a username/password combo
that works, but at least I have things configured so that if someone has
a poor password and this happens then it is nothing more than their
web content that gets hosed.
In your case, you will have an interface open to the world, with a
lock that you design, hopefully avoiding SQL injection and other app
design/implement flaws. If someone gets past that lock, then they will
have a component running with credentials able to alter (ideally this
will be fully restrained to only) the passwords of accounts.
This can be done, sure. This can also be an attractive target for
external play so it would need to be done well (perhaps some little
extras, non-cookie based, like tracking frequence of use by source IP
within a time threshold, etc.).
The bottom line is, as there is no simple way to protect the availability
of the interface you will need to be all that much more careful about the
interface itself and the account behind.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Magoo" <nospammagoo@hotmail.com> wrote in message
news:ekWFYvFWFHA.3636@TK2MSFTNGP14.phx.gbl...
> Well, I see I can't use the "restrict based on groups" because correct,
> users would know their usernames, but not their passwords so therefore
> nobody would get authenticated thru ISA-RADIUS.
> Regarding publishing on the Internet and give anonymous access to everyone
> in the world, darn, that's what we do with OWA links and VPN, isn't it ? I
> figure that if I can expose my OWA link and VPN to the world, I am curious
> to analyze this and see why publishing a reset password for students URL
> would be a bad idea. Just thinking...
>
>
> "Phillip Windell" <@.> wrote in message
> news:%23b$Uja8VFHA.3152@TK2MSFTNGP12.phx.gbl...
> > "Magoo" <magoo-nospam@hotmail.com> wrote in message
> > news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> >> Hey Philip, I meant I would publish the URL that is actually an ASP.NET
> >> to
> >> users that attempt to access such ResertPassword URL from the Internet.
> >
> > OK, I see. Well, consider Robert's comment. I think it is the "stake
> > through the heart" that kills the whole idea of what you want to do.
And
> > you can't very well allow it anonymously because anybody could reset
> > anybody's password.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>

Phillip Windell
07-09-2005, 11:51 PM
Opps, sorry! There is a Robert running around here somewhere too,...I just
got the names reversed. Yes, I meant you.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23MkFXjEWFHA.2196@TK2MSFTNGP09.phx.gbl...
> "Phillip Windell" <@.> wrote in message
> news:%23b$Uja8VFHA.3152@TK2MSFTNGP12.phx.gbl...
> > "Magoo" <magoo-nospam@hotmail.com> wrote in message
> > news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> > > Hey Philip, I meant I would publish the URL that is actually an
ASP.NET
> to
> > > users that attempt to access such ResertPassword URL from the
Internet.
> >
> > OK, I see. Well, consider Robert's comment. I think it is the "stake
>
> ummm, it's Roger not Robert, Phillip, or did I miss some post to this
> thread ?? (just thought I would point it out this time)
>
> --
> Roger
>
> > through the heart" that kills the whole idea of what you want to do.
And
> > you can't very well allow it anonymously because anybody could reset
> > anybody's password.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>

Roger Abell
07-09-2005, 11:51 PM
No problem. Yes, Robert Moir has inhabited these NGs for
quite a few years . . . Its just that we are different and a third
of the world apart. I thought maybe it was time to end the mixup :-)

--
Roger
"Phillip Windell" <@.> wrote in message
news:%23P7Rq9hWFHA.2944@TK2MSFTNGP10.phx.gbl...
> Opps, sorry! There is a Robert running around here somewhere too,...I
just
> got the names reversed. Yes, I meant you.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23MkFXjEWFHA.2196@TK2MSFTNGP09.phx.gbl...
> > "Phillip Windell" <@.> wrote in message
> > news:%23b$Uja8VFHA.3152@TK2MSFTNGP12.phx.gbl...
> > > "Magoo" <magoo-nospam@hotmail.com> wrote in message
> > > news:%23uCIpFzVFHA.2520@TK2MSFTNGP09.phx.gbl...
> > > > Hey Philip, I meant I would publish the URL that is actually an
> ASP.NET
> > to
> > > > users that attempt to access such ResertPassword URL from the
> Internet.
> > >
> > > OK, I see. Well, consider Robert's comment. I think it is the "stake
> >
> > ummm, it's Roger not Robert, Phillip, or did I miss some post to this
> > thread ?? (just thought I would point it out this time)
> >
> > --
> > Roger
> >
> > > through the heart" that kills the whole idea of what you want to do.
> And
> > > you can't very well allow it anonymously because anybody could reset
> > > anybody's password.
> > >
> > > --
> > >
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > >
> > >
> >
> >
>
>

Phillip Windell
07-09-2005, 11:51 PM
Well, I was mixing up the spelling, not the people.
If I remember, I think he is in the UK?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eMZAlfiWFHA.2472@TK2MSFTNGP10.phx.gbl...
> No problem. Yes, Robert Moir has inhabited these NGs for
> quite a few years . . . Its just that we are different and a third
> of the world apart. I thought maybe it was time to end the mixup :-)

Roger Abell
07-09-2005, 11:51 PM
"Phillip Windell" <@.> wrote in message
news:OTcrb3kWFHA.2124@TK2MSFTNGP14.phx.gbl...
> Well, I was mixing up the spelling, not the people.
> If I remember, I think he is in the UK?
>

Fair enough, and yep, he is.
Nice to meet you one of these days after all these years,
by the way.
--
Roger
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eMZAlfiWFHA.2472@TK2MSFTNGP10.phx.gbl...
> > No problem. Yes, Robert Moir has inhabited these NGs for
> > quite a few years . . . Its just that we are different and a third
> > of the world apart. I thought maybe it was time to end the mixup :-)
>
>

Phillip Windell
07-09-2005, 11:51 PM
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eCUk1nqWFHA.3140@TK2MSFTNGP14.phx.gbl...
> "Phillip Windell" <@.> wrote in message
> news:OTcrb3kWFHA.2124@TK2MSFTNGP14.phx.gbl...
> > Well, I was mixing up the spelling, not the people.
> > If I remember, I think he is in the UK?
> >
>
> Fair enough, and yep, he is.
> Nice to meet you one of these days after all these years,
> by the way.

You'll probably see me at the next MVP Summit. It will be my third trip out
there.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Roger Abell
07-09-2005, 11:51 PM
"Phillip Windell" <@.> wrote in message
news:eMzgQ4uWFHA.3864@tk2msftngp13.phx.gbl...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eCUk1nqWFHA.3140@TK2MSFTNGP14.phx.gbl...
> > "Phillip Windell" <@.> wrote in message
> > news:OTcrb3kWFHA.2124@TK2MSFTNGP14.phx.gbl...
> > > Well, I was mixing up the spelling, not the people.
> > > If I remember, I think he is in the UK?
> > >
> >
> > Fair enough, and yep, he is.
> > Nice to meet you one of these days after all these years,
> > by the way.
>
> You'll probably see me at the next MVP Summit. It will be my third trip
out
> there.
>


Let's try.
I have made the past 3 global Summits, but it is such
a circus now-a-days . . .

--
Roger


Let only regional clients connect to my 'reset password' site ?