[PLUG-Devel] identify an anonymous user

Victor Odhner vodhner at cox.net
Thu Mar 23 18:34:08 MST 2006 

Josh Coffman wrote:

>  My environment will be ms based with IIS, but I get
>better help from you guys than the MS crowd, so I'm
>asking.
>
>  Someone else came to me with this end goal: a web
>app with internet and intranet based users. If the
>user is on the intranet, don't prompt for login. If
>the user is coming from the internet, prompt for
>login.
>
>  If you have a web set to anonymous only, what amount
>of information about the user will you be able to get
>from an http request? (header information, etc)
>  
>
<compulsive kneejerk rant>
  If you have a web?  This sounds like frontpage talk.
  There is one Web, and you don't have it.  Really grates on me
  that MS decided that people did not have web sites, they have
  "webs".  Lame!
</compulsive kneejerk rant>

Answer #1:  There is no connection that can't be spoofed.
I'm sure IIS can give you the apparent IP of the browser
that is connecting, but it might be possible to spoof that.

>On an Intranet with anonymous only, how realiably
>can a user be identified? Or at all?
>  
>
Answer #2:  I think that's a Microsoft technology question.
IIS should be able to identify the IP within your local network
from which the connection was made.  Of course, again,
this could be spoofed; but I wouldn't normally expect that
to be part of my threat-model assuming that users inside the
network are not hostile.

I'd like to suggest that you set up two web servers, with
almost identical IIS setups.  They would share access to
the database, but the one requiring authentication would
be in your DMZ, while the one giving un-authenticated
access would be totally invisible to the outside.

Oh:  but that means two IIS licenses.  Bummer!   ;-)

It might be possible to put a Linux box in the DMZ and
have it intermediate somehow.  The key is that you don't
want to allow outside connections to see a box inside your
network, where un-authenticated things are happening.

If you have both un-authenticated inside access, and
authenticated outside access, going to the same box, then
you have probably compromised your security.

Still, if IIS allows virtual sites, you might still set up the
two-sites approach on one box:  the external site would be
on a different IP, and that would be the only IP reachable
through your firewall.  It would duplicate the internal
site's logic and would share the database.

Incidentally, you don't want the external site to expose
any links to internal resources.  External visitors may
not be able to use those links directly, but they are still
good intelligence in case they have other tricks up their
sleeve.

Good luck,

Vic

More information about the PLUG-devel mailing list