Using ASP to Secure Web Pages
Over the past few years, ASP code solutions have begun to show up for Web-page password protection. The ASP examples for page access control are a better approach for IIS administrators because these examples integrate nicely with existing data-driven ASP pages. Many ASP authentication examples use Microsoft Access or Microsoft SQL Server databases to store the user password, thereby increasing security. A few clever ASP solutions contain a dozen or so lines of code that use an HTML form that posts to itself. Using the POST method, the form verifies the password, which is embedded in server-side ASP code that users can't view.
Listing 2, page 13, shows protect.asp, a code example that uses 11 lines of VBScript code and a standard form that posts to itself. The password access is stored as a session variable called SecureAccess. As long as the user's current session stays active, SecureAccess will equal Yes, and the user can access the page without reentering the password. The script checks for a hidden field value in the form and will continue with the password check only if this form sent the correct value.
Insert the code in Listing 2 at the top of an existing page followed by your existing HTML and <BODY> tags or the ASP code. Give the page the same name as defined in the POST action= filename method, which in this case is protect.asp. Then, you can change the password in the If Password= string to your selection. Because the ASP code is server-side code, the password won't be exposed to the user's browser. Be sure not to let users browse this directory because they'll be able to right-click the filename and save the entire contents to a local disk. After users have saved the file locally, they can display the file's contents, including the ASP code and password. If the user enters an incorrect password, the form will continue to reappear, which is preferable over the error message 404 File not found or a Maximum Retries Exceeded error. After the user has entered the correct password, the code redirects the user to the protected portion of the page.
Another method of ASP password protection is to use a password database or password file. This technique presents a form page that requests a username and password from the user. The system compares the username and password with entries in a database or parses a password file for a match. This method is generally more secure than the examples I gave earlier because the ASP code and passwords are stored in separate locations. Many examples of ASP scripts that use a password database are available at ASP code repositories on the Internet.
One final consideration is that you can't let users simply bypass the authentication pages, which means that pages must execute in a controlled order if they don't contain forms that submit to themselves. To prevent this bypass, use session variables or session cookies, and set the page to expire immediately so that the ASP code executes each time the page is accessed. Not doing so might let subsequent users use a cached version of the page to gain access. Caching is one disadvantage of using a session variable: The session stays active until the browser window closes, and anyone who uses the open window can continue to access the secure page.
Using Built-in Windows and IIS Security
You set up these authentication methods in Microsoft Management Console (MMC). To set up authentication, follow these steps:
- Open MMC.
- Right-click an entire site, a file, or a directory, then select Properties.
- In the Properties dialog box, click the File Security tab, then click Edit. The Authentication Methods dialog box that Figure 1 shows will appear.
- Select the Anonymous access check box to let users access the pages you've selected for this authentication setting.
Before you begin password-protecting your Web pages, note that the disk on which password-protected files and directories reside must be NTFS. You need to verify that the wwwroot partition, in addition to any virtual directories that use IIS password protection, is NTFS. To password-protect your files and applications, follow these steps:
- Right-click the file or application you want to protect, then select Properties.
- Click the Security tab.
- Add the user, users, or group that needs access to the resource. Grant the users or group Read privilege (or Read & Execute if the resource is an application).
- Remove the Everyone group, the IUSR_computername user, and any other users to whom you want to deny access. (If you're protecting a virtual directory, ensure that you add the Administrator group with Full Control before you remove the Everyone group.) A dialog box will appear stating that you can't remove this user because the object is inheriting permissions from its parent. Clear the Allow inheritable permissions from parent to propagate to this object check box, as Figure 2 shows.
- The system will ask whether you want to copy or remove previously inherited items. Because you'll keep the Administrator group and remove all other users and groups anyway, click Copy.
- Before you close the Security window, make sure that the account you're using to manage this resource has Full Control rights or you'll lose access to this item. If you want to apply these settings to the entire directory contents and all subdirectories, ensure that settings can propagate to all child objects.
Next, you need to set the IIS permissions for Web access. Open MMC, then expand Services and Applications, Internet Information Services, and the Web site to which you're applying password protection. Right-click the directory or file to which you want to apply password protection, then select Properties. If you're disabling Anonymous access for all files in a directory, right-click that directory in MMC's left pane, then select Properties. Click File Security, then click Edit. To force IIS to present a password dialog box to the user, clear the Anonymous access check box in the Authentication Methods dialog box, then select the Basic authentication (password is sent in clear text) check box. By making these two modifications, browsing users are no longer masquerading as the IUSR_computername user to gain access; users will have to authenticate to open the file or directory.
If your users are logging on to a domain and running Microsoft Internet Explorer (IE), you also have the option of selecting both Basic authentication and Integrated Windows authentication. Doing so lets authenticated IE users pass an encrypted username and password to gain access without a dialog box appearing. (The system still prompts Netscape users for a username and password.) However, if the protected page is the entrance to a database update form or secure application, having a dialog box appear to the user is a nice visual queue that he or she is entering a controlled area. The dialog box also prevents another user from using someone else's authenticated station to access the page or program.
To complete the password-protection setup process, open the Control Panel Local Security Policy applet. Expand Local Policies, then expand User Rights Assignment, as Figure 3, page 16, shows. Double-click Log on locally. Make sure that the user or group to whom you've granted access to the password-protected files has the Log on locally right. If the user or group isn't displayed, click Add, then select the user or group. The user or group will appear in the Assigned To window with the Local Policy Setting selected.
The password-protection setup procedure is now complete, and you can test the access security for a password dialog box. Be certain that all sensitive pages--not just the menu page that requests a password--are protected from viewing by an unprivileged user. If this menu page links to a database form page and a user knows the URL, that user might be able to skip directly to the form page with no authentication.
To ease the administration of protected-page security, use a group and add all authorized users to this group. You also have the option of granting access to only one user account, then supplying this username and password to a team or department of users. In addition, consider disabling IE's password-caching feature so that users can't select the Save this password in your password list check box. For information about this procedure, see the Microsoft article "How to Disable Internet Explorer Password Caching" (http://support.microsoft.com/support/kb/articles/q229/9/40.asp).
The IIS Advantage
Using integrated IIS security has advantages over both programmatic methods for securing Web pages. With integrated security, page execution order isn't important as long as all sensitive pages are protected. In addition, users need to enter their passwords only once, and you don't need to use session cookies or monitor a session variable. Finally, you can easily control user access by using individual accounts, groups, and NTFS security, and you don't have to add code or include files to secure pages.
Note: The steps for password-protecting files or applications are for a Win2K Server or Win2K Advanced Server installation. The dialog boxes and check boxes are slightly different for Windows NT 4.0 and IIS 4.0. For example, in IIS 4.0, when you right-click the file or directory you want to protect, you'll select Properties, Security, then click the Permissions tab. On this tab, verify that the Administrator group has Full Control, then remove the Everyone and IUSR_computername groups as in the IIS 5.0 process. Then, add the users or groups that you want to have access to the protected file, directory, or application. If this directory is the one that you're protecting, select the appropriate check boxes that control the propagation of the permissions to the files and subdirectories.
Note: You select Basic authentication with clear text so that the authentication prompt dialog box will appear to Netscape users and they can authenticate successfully. Of course, a security risk exists in selecting Basic authentication because the password is passed as clear text. If the server in question is on a public network, I discourage this configuration.
| You can obtain the following articles from the |
IIS Administrator Web site at http://www.iisadministrator.com.
IIS 101, "IIS 101: The Basics of IIS Authentication," October 2000 Web Exclusive, InstantDoc ID 15843
"Web and FTP Permissions in IIS 5.0," March 2001, InstantDoc ID 19773