Accessing a web application anonymously

We have an internal web application that is soon going to be needed to
be accessed by our members via the web. Internally it works fine
(probably because there are no security restrictions).

I am trying to configure a new IIS6 box to provide this web app without
compromising security.

The IIS server needs to be located in a DMZ and have access to connect
to the SQL server, the application server for ASP pages etc.. and a
share located on the application server to access stored images (gif's
and jpg's) to display to the user - these two these machines are
located in our domain.

We set up the IIS server in a screened subnet DMZ and set it up to
allow anonymous access but only managed to get a blank screen displayed
in my client browser.

We then changed the user that should be used for anonymous access to be
a domain user - looking at the logs we can see the client session fails
and then prompts for a username and password. We tried the ISR_USERNAME
and password which didnt work but if we enter the domain user and
password it does.

Some of the settings to get it working in its current state are:

IIS SERVER
Files located on another machine, always connect as DOMAIN-USER-ACCOUNT
(with password)
Security - Allow anonymouse access, user DOMAIN-USER-ACCOUNT (with
password)

SQL SERVER
setup to use SQL authentication

APPLICATION SERVER
Both shares (Web pages and image store) have retricted access, the
DOMAIN-USER-ACCOUNT used on the IIS server has read access.

DMZ
External interface - only allows port 80
Internal interface - allows ports 53 DNS, 88 Kerberos, 101 Host name
resolution, 1433 SQL

We realise this is a non acceptable risk to have remote users entering
domain account information but I just cannot get it to work any other
way. Can anyone help please?

Re: Accessing a web application anonymously

Hi,

If you need to configure anonymous access, first make sure that IUSR account
has read permissions (NTFS permissions) on the content? If it doesn't, IIS
will fail since it will always honor NTFS permissions.

If your IIS server is member of domain then you will need the following
ports and protocols open and allowed from the server to domain controllers
in LAN.

RPC endpoint mapper 135/tcp, 135/udp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
SMB over IP (Microsoft-DS) 445/tcp, 445/udp
LDAP 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
WINS resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
Network time protocol (NTP) 123/udp

--
Mike
Microsoft MVP - Windows Security

"T-POT" wrote in message
news:1158584991.280615.213850@m7g2000cwm.googlegroups.com...
>
> We have an internal web application that is soon going to be needed to
> be accessed by our members via the web. Internally it works fine
> (probably because there are no security restrictions).
>
> I am trying to configure a new IIS6 box to provide this web app without
> compromising security.
>
> The IIS server needs to be located in a DMZ and have access to connect
> to the SQL server, the application server for ASP pages etc.. and a
> share located on the application server to access stored images (gif's
> and jpg's) to display to the user - these two these machines are
> located in our domain.
>
> We set up the IIS server in a screened subnet DMZ and set it up to
> allow anonymous access but only managed to get a blank screen displayed
> in my client browser.
>
> We then changed the user that should be used for anonymous access to be
> a domain user - looking at the logs we can see the client session fails
> and then prompts for a username and password. We tried the ISR_USERNAME
> and password which didnt work but if we enter the domain user and
> password it does.
>
> Some of the settings to get it working in its current state are:
>
> IIS SERVER
> Files located on another machine, always connect as DOMAIN-USER-ACCOUNT
> (with password)
> Security - Allow anonymouse access, user DOMAIN-USER-ACCOUNT (with
> password)
>
> SQL SERVER
> setup to use SQL authentication
>
> APPLICATION SERVER
> Both shares (Web pages and image store) have retricted access, the
> DOMAIN-USER-ACCOUNT used on the IIS server has read access.
>
> DMZ
> External interface - only allows port 80
> Internal interface - allows ports 53 DNS, 88 Kerberos, 101 Host name
> resolution, 1433 SQL
>
> We realise this is a non acceptable risk to have remote users entering
> domain account information but I just cannot get it to work any other
> way. Can anyone help please?
>

Re: Accessing a web application anonymously

Hi Mike

many thanks fo rthe response, I will try those settings on the
firewall.

Andy


Miha Pihler [MVP] wrote:
> Hi,
>
> If you need to configure anonymous access, first make sure that IUSR account
> has read permissions (NTFS permissions) on the content? If it doesn't, IIS
> will fail since it will always honor NTFS permissions.
>
> If your IIS server is member of domain then you will need the following
> ports and protocols open and allowed from the server to domain controllers
> in LAN.
>
> RPC endpoint mapper 135/tcp, 135/udp
> NetBIOS name service 137/tcp, 137/udp
> NetBIOS datagram service 138/udp
> NetBIOS session service 139/tcp
> RPC dynamic assignment 1024-65535/tcp
> SMB over IP (Microsoft-DS) 445/tcp, 445/udp
> LDAP 389/tcp
> LDAP over SSL 636/tcp
> Global catalog LDAP 3268/tcp
> Global catalog LDAP over SSL 3269/tcp
> Kerberos 88/tcp, 88/udp
> DNS 53/tcp, 53/udp
> WINS resolution (if required) 1512/tcp, 1512/udp
> WINS replication (if required) 42/tcp, 42/udp
> Network time protocol (NTP) 123/udp
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "T-POT" wrote in message
> news:1158584991.280615.213850@m7g2000cwm.googlegroups.com...
> >
> > We have an internal web application that is soon going to be needed to
> > be accessed by our members via the web. Internally it works fine
> > (probably because there are no security restrictions).
> >
> > I am trying to configure a new IIS6 box to provide this web app without
> > compromising security.
> >
> > The IIS server needs to be located in a DMZ and have access to connect
> > to the SQL server, the application server for ASP pages etc.. and a
> > share located on the application server to access stored images (gif's
> > and jpg's) to display to the user - these two these machines are
> > located in our domain.
> >
> > We set up the IIS server in a screened subnet DMZ and set it up to
> > allow anonymous access but only managed to get a blank screen displayed
> > in my client browser.
> >
> > We then changed the user that should be used for anonymous access to be
> > a domain user - looking at the logs we can see the client session fails
> > and then prompts for a username and password. We tried the ISR_USERNAME
> > and password which didnt work but if we enter the domain user and
> > password it does.
> >
> > Some of the settings to get it working in its current state are:
> >
> > IIS SERVER
> > Files located on another machine, always connect as DOMAIN-USER-ACCOUNT
> > (with password)
> > Security - Allow anonymouse access, user DOMAIN-USER-ACCOUNT (with
> > password)
> >
> > SQL SERVER
> > setup to use SQL authentication
> >
> > APPLICATION SERVER
> > Both shares (Web pages and image store) have retricted access, the
> > DOMAIN-USER-ACCOUNT used on the IIS server has read access.
> >
> > DMZ
> > External interface - only allows port 80
> > Internal interface - allows ports 53 DNS, 88 Kerberos, 101 Host name
> > resolution, 1433 SQL
> >
> > We realise this is a non acceptable risk to have remote users entering
> > domain account information but I just cannot get it to work any other
> > way. Can anyone help please?
> >