How URL Authorization Increases Web Server Security
Why URL Authorization?
Web sites are set up for many different purposes. A popular use of the web (especially on intranets) is to allow a group of people to access information they need to do their jobs, quickly and easily via a standard interface (the web browser) from any location (office, home, on the road). However, this information is often proprietary or sensitive, and you don't want just anyone to be able to access it just because it's on the web server.
That's where URL authorization comes in. In these cases, we need a mechanism for controlling who can or can't gain access to a particular web page or site. There are several ways to do this - for instance, by setting password protection on the page. The problem with this solution is that if an unauthorized person discovers (or guesses) the password, he/she will be able to access the page. A more secure way to control access is to tie it to the user's account in the domain and/or role in the organization. Windows Server 2003 gives you a way to do this, by implementing URL authorization and configuring role-based authentication via Authorization Manager. Web applications written within the ASP.NET framework can use URL authorization to control access.
The Role of Authorization Manager
Authorization Manager is a Windows Server 2003 utility that is used to implement role based administration via authorization rules, which are scripts that configure settings to authorize users or computers for specific roles. The user roles are generally based on users' job duties, whereas computer roles are based on the functionality of the machine within the network (for example, a web server). For more information on role-based access control and Authorization Manager, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManBizRules.asp.
User roles can be defined in Lightweight Directory Access Protocol (LDAP) queries. The user object will contain information about the user that can be accessed via an LDAP query, and this information can be used to determine whether a user fits the criteria that qualifies him/her for that role. For example, you might want to restrict the access to a particular web page to only user who work at a specific geographic location.
You can also restrict the time of day or day(s) of the week that the users can access the web page, by creating BizRules. These are dynamic business rules, which are simply scripts that are attached to task objects. They're used to authorize users based on information that is only available at runtime (the time during which the script is run) such as the time of the day or day of the week. BizRule scripts can be written in VBScript or Jscript. You need to be familiar with one of these scripting languages to create BizRules. BizRules are added or edited with the Authorization Manager MMC, which can be opened by typing azman.msc at the Run box. For more information on creating BizRules and loading the script into the authorization store, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/AzManBizRules.asp.
How URL Authorization Works
When you use URL authorization to control access to web resources, IIS will determine the user's roles and base authorization decisions on that information. The software component that handles this task is the Internet Server Application Programming Interface (ISAPI) interceptor.
How to Use URL Authorization
URL authorization is not enabled by default in IIS 6.0. To use it, you'll first need to enable the ISAPI interceptor. The file name is Urlauth.dll, and it has to be enabled for each individual web site for which you want to use URL authorization. Note that you need a local administrative account (or delegated authority) on the computer running IIS 6.0 to enable the ISAPI interceptor. Here are the steps required to do so:
- Click Start | All Programs | Administrative Tools | Internet Information Services.
- In the left pane of the IIS Management console, expand Web Sites.
- Right click the web site for which you want to use URL authorization and select Properties.
- Click the Home Directory tab. Select Configuration under Application settings.
- Click the Mappings tab. Click Insert under Wildcard application maps.
- In Add/Edit Application Extension Mapping, click Browse and navigate to the following directory: Windows\system32\inetsrv.
- Select urlauth.dll. Click Open. Click OK.
- You'll need to repeat this process for each web site that will use URL authorization.
After you enable the ISAPI interceptor, you're still not yet ready to use URL authorization. First, you need to set several metabase properties on the URL. These include the following:
- AzEnable to enable URL authorization for that URL
- AzStoreName to associate the URL with an authorization manager store
- AzScopeName to associate the URL with a scope
- AzImpersonationLevel to configure the web application to impersonate either the user, the IIS worker process or the IUSER_
To set the impersonation level, you can a value of 0, 1 or 2. A setting of 0 indicates authentication of an authenticated client. A setting of 1 indicates impersonation of the IIS worker process. A setting of 2 indicates impersonation of the anonymous user account.
You'll need some scripting skills to set these metabase properties.
For sample scripts and detailed step by step instructions on configuring URL authorization in IIS 6.0, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/AthManWp.asp.
URL authorization is one of many new security features in Internet Information Services 6.0, the latest version of Microsoft's web server software built into Windows Server 2003. URL authorization uses the Authorization Manager to give you more control than ever over access to web pages and web applications. If you need to control access based on user roles, check out this important new feature.