Last post Sep 08, 2012 06:55 AM by gnosischief
Aug 23, 2012 08:22 AM|Gudea|LINK
I developed a web based application that controls software versioning and automates implementation through the corporate network.
It doesn't use AD integration cause every user in the system will need to have access to destination folders of all servers in the network to deploy software. If I integrate AD, I would need to grant users access to those folders and servers, so anyone could
bypass the implementation tool and deploy whatever he wants with no control.
So, the application is now using local (iis server) computer name to access destination folders. That iis server's computer was granted access, so no user can access productive servers filesystem without the implementation software.
Now the application server was migrated to IIS 7, which apparently doesn't allow computer's name to be used as an account.
The company is audited by a regulation authority that rules, applies and controls security policies. Those ones, as SOX does, dosn't allow generic user accounts.
I was thinking on creating a Service account and attach it to the AppPool of the application, but as ServiceAccount are more like regular user accounts (but not assigned to a physical person) security staff doesn't agree very much with that solution.
My question is:
Is there any way to attach a kind of token or something to the process so when granting access an AD user to any resource that token would be requested?
I mean integrate AD with the application, grant the user access to the resource (folder/server), but demand him a kind of token in the process or something (given only from the implementation application) so the user can't access that resource from outside
That way I would get best of both worlds.
Any other suggestion?
Sep 08, 2012 06:55 AM|gnosischief|LINK
if user's are using domain id as digital identity, then
Create Global security group\s in you AD on basis of number of role you needed for different permission sets\ levels.
and create appropriate sessions in webpage and check them in page_load function accordingly (if accessing by web interface).
if users accessing by netshare or NTFS security then add security group in folder security and change security permissions as required.
now finally you need to add members (domain ID) to the security group and user will have limited access permission.