C
CJM
We have a simple intranet currently but as time goes by it is increasing in
its complexity and its use.
Some of the published content is only for the eyes of the select few.
Currently this is restricted by a DB-driven menu system; all users can view
standard content, but some users can login to view extra content. In
reality, only the intranet menus are restricted - if a user knew the path of
a restricted file, they could enter it into the address bar and access the
file. A bigger problem is searching. I've built a limited-scope search
facility using the indexing service, but if this was rolled out to the full
site, there would be no way for this facility to discriminate between 'open'
files and restricted files.
We are looking to improve the intranet soon, but the biggest problem I have
is which security model to choose. One of the ways we could probably
overcome the shortfalls of the current situation is to move to Integrated
Authentication. No login would be required, and AFAIK, the indexing service
would only return files that the user is entitled to view(?). The problem
with this scenario is with shared machines. For example, we are a group of
manufacturing companies, and we have shared machines on the shopfloors - in
most cases, the shop-floor staff have very limited access rights, but their
chargehands and team leaders need greater priveleges. The way it tends to
work is that one person logs onto the machine and all his colleagues share
his machines (and use his account!). I've been assured that this habit is
impossible to change!
Under an integrated auth scenario, the team leaders would either have to
share their privileges with their staff (very undesireable), or would have
to loose their privileges (also undesireable). In the current system, they
can log in and out of the intranet application as they wish.
What would be ideal is a combination of the two models: to have a login (and
logout) procedure that requires their Windows UID/Pwd. They could log in and
out when restricted files were needed, and in addition, the indexing service
search would be secured, and files would not be accessible directly via the
address bar.
I know the direct-access-through-address-bar problem can be solved by using
an ISAPI extension/filter. I've also heard something about ADAM (Active
Directory Application Mode), but I know very little about Integrated
Authentication, Active Directory, or ADAM. [You could say I dont know ADAM
from Adam... this probably is a very parochial joke]
I'm praying that there is somebody out there who has been in the same boat,
but failing that, ideas/suggestions/sympathy is welcomed from the floor.
Thanks
Chris
its complexity and its use.
Some of the published content is only for the eyes of the select few.
Currently this is restricted by a DB-driven menu system; all users can view
standard content, but some users can login to view extra content. In
reality, only the intranet menus are restricted - if a user knew the path of
a restricted file, they could enter it into the address bar and access the
file. A bigger problem is searching. I've built a limited-scope search
facility using the indexing service, but if this was rolled out to the full
site, there would be no way for this facility to discriminate between 'open'
files and restricted files.
We are looking to improve the intranet soon, but the biggest problem I have
is which security model to choose. One of the ways we could probably
overcome the shortfalls of the current situation is to move to Integrated
Authentication. No login would be required, and AFAIK, the indexing service
would only return files that the user is entitled to view(?). The problem
with this scenario is with shared machines. For example, we are a group of
manufacturing companies, and we have shared machines on the shopfloors - in
most cases, the shop-floor staff have very limited access rights, but their
chargehands and team leaders need greater priveleges. The way it tends to
work is that one person logs onto the machine and all his colleagues share
his machines (and use his account!). I've been assured that this habit is
impossible to change!
Under an integrated auth scenario, the team leaders would either have to
share their privileges with their staff (very undesireable), or would have
to loose their privileges (also undesireable). In the current system, they
can log in and out of the intranet application as they wish.
What would be ideal is a combination of the two models: to have a login (and
logout) procedure that requires their Windows UID/Pwd. They could log in and
out when restricted files were needed, and in addition, the indexing service
search would be secured, and files would not be accessible directly via the
address bar.
I know the direct-access-through-address-bar problem can be solved by using
an ISAPI extension/filter. I've also heard something about ADAM (Active
Directory Application Mode), but I know very little about Integrated
Authentication, Active Directory, or ADAM. [You could say I dont know ADAM
from Adam... this probably is a very parochial joke]
I'm praying that there is somebody out there who has been in the same boat,
but failing that, ideas/suggestions/sympathy is welcomed from the floor.
Thanks
Chris
