Internal Web Sites
Many businesses create intranet Web sites to share information (e.g., vacation days, internal phone directories) among team members or as internal reference sites for documenting policy, listing prices for products and services, and so on. Often, these Web sites are open to all users, with little or no access-control security. Although unrestricted access is fine for Web sites accessible only from inside the LAN, it's clearly unacceptable for such sites to be published to the Internet without establishing access control— particularly if the data might be considered confidential or sensitive. For this reason, businesses might turn to a VPN as the solution. Users must authenticate themselves to establish a VPN connection, at which point they're trusted and can be granted anonymous access to internal Web sites. There are, however, alternatives.
If the Web sites are hosted on IIS 6.0 Web servers that are member servers in the same domain or forest as the users, the Web server administrator can disable anonymous authentication and require users to authenticate. If the preferred authentication method for a Web site is Integrated Windows authentication, the Web site can be published to the Internet through a firewall. If the firewall is an application-level firewall (e.g., ISA Server 2006), you can configure access rules so that only certain parts or directories of a Web site are accessible from the Internet, and HTTP traffic can be scanned for malicious Web traffic.When a user attempts to connect to the Web site, he or she will be prompted for credentials. . . .
Register
