The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling.

Slides:



Advertisements
Similar presentations
A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
Advertisements

Policing the Power of Identity Controls Power Behavior Verify that controls are in place and functioning Monitor user behavior and verify that people.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
1 THE UNIVERSITY OF HONG KONG COMPUTER CENTRE Introduction to Agnes Chau Computer Centre Updated September 3, 2007.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
© 2010 VMware Inc. All rights reserved Access Control Module 8.
Access Control Module 8. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A vSphere Environment Introduction to VMware.
Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Trimble Connected Community
ID Management in University ID Management in University Kenzi Watanabe Saga University, Japan
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Copyright 2000 eMation SECURITY - Controlling Data Access with
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
PASS Migration – Update V A Retrospective Current Issues Future Directions with Jeff D’Angelo NWOP 2008/08/18.
Security Testing Case Study 360logica Software Testing Services.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Current State Of NetID By Jonathan Higgins Presentation Template available from Microsoft A low cost Identity Management Implementation Guide.
CPSC 203 Introduction to Computers Lab 23 By Jie Gao.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
The DSpace Course Module – User management and authentication options.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Module 11: Securing a Microsoft ASP.NET Web Application.
Academic Services and Emerging Technologies Mission: Provide high-quality computing and related information technology services in support of the teaching,
Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.
Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Installing and Configuring Moodle. Download Download latest Windows Install package from Moodle.orgMoodle.org.
DCE Deployment at PSU Steven Kellogg Director, Advanced Information Technologies Center for Academic Computing
Virtual Directory Services and Directory Synchronization May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department.
PASS What is it and why should you care?. What is it? Part of the Infrastructure 3 main components to middleware Authentication Directory - Authorization.
Al Lilianstrom and Dr. Olga Terlyga NLIT 2016 May 4 th, 2016 Under the Hood of Fermilab’s Identity Management Service.
Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group
CAS and Web Single Sign-on at UConn
ACTIVE DIRECTORY ADMINISTRATION
Power BI Security Best Practices
IIS.
Dartmouth College Status Report
Configuring Internet-related services
Shibboleth as Attribute Delivery for Authorization
Active Directory Overview
James Cowling Senior Technical Architect
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)

The Pennsylvania State University © 2007 Topics Access Control Concepts, Methods and Technology Restricting Access on ITS Web Services Role Based Tools New and changing services

The Pennsylvania State University © 2007 Access Control Concepts Identification and Authentication (AuthN) Authorization (AuthZ) Roles and Groups

The Pennsylvania State University © 2007 Access Control Methods File Permissions –all or nothing? –Special cases: Portal, share.pass, WebMail Database restrictions (SQL GRANT) Web server control /.htaccess Roles and Groups

The Pennsylvania State University © 2007 Access Control Technology - AuthN HTTP Basic auth –.htpasswd –mod_auth_kerb / mod_auth_dce / mod_auth_external CGI form / Cookies –Penn State WebAccess / CoSignPenn State WebAccess –Custom database enabled application Less used –Client certificates –Kerberos browser support

The Pennsylvania State University © 2007 Access Control Technology - AuthZ File Permission Control –ACL Explorer (on –PASS Shares (“File Sharing” button of the PASS Explorer)PASS Explorer Web Permission Control:.htaccess –Restrict Access to COLA (on –Dynamic Web application based (CGI, PHP, etc) Groups: User Managed Groups (DCE, LDAP) –Course groups –Implicit UMGs

The Pennsylvania State University © 2007 ACLs and UMGs Explicit UMGs must be told what to do –To restrict file access by explicit UMG, the UMG must be added to the ACLs. File users can be specified in ACLs or UMGs –Which is better for you? Web users can be specified in.htaccess or UMGs –However, UMGs need mm_mod_auth_ldap (with patch)mm_mod_auth_ldap –Alternatives: mod_auth_ldap, mod_authz_ldapmod_auth_ldapmod_authz_ldap Demonstration

The Pennsylvania State University © 2007 Manage Web Editors (Implicit UMGs) Departmental Web Space ( –umg/services. – Course Online Accounts ( –umg/services. – Student Orgs Web Space ( –umg/clubs.campusname.clubname –

The Pennsylvania State University © 2007 ACL Problems to Avoid mask_obj problems –Secure FTP setting / SMB share settingSecure FTP setting –Removing in ACL explorer Removing desired permissions by recursion –User home & www, share –Departmental space and group folders Removing user_obj the wrong way

The Pennsylvania State University © 2007 Roles What is a role? Example Case Studies WebRAT

The Pennsylvania State University © 2007 What is a role? Roles are groups of people with attributes

The Pennsylvania State University © 2007 Example dn: cn=wfg.046.notify,dc=psu,dc=edu member: psdiridn=375704,dc=psu,dc=edu dn: psdiridn=375705,dc=psu,dc=edu psmnemonics=wfg.046.notify:0:TLT psaccountnumbers=wfg.046.notify:0:ALL psfundtype=wfg.046.notify:0:ALL psdollarthreshold=wfg.046.notify:0:NoLimit Group Entry

The Pennsylvania State University © 2007 Case Studies Penn State WorkFlow Departmental Identity

The Pennsylvania State University © 2007 Penn State WorkFlow Problem –Needed a solution to control authorization to various financial applications within the Penn State WorkFlow system Solution –Use roles to group financial people together and specify access restrictions via attributes

The Pennsylvania State University © 2007 Departmental Identity Problem –How do you represent information about a person who has multiple affiliations? i.e. A staff member at UP who teaches at Penn State Altoona Solution –Use a role to represent the additional affiliations

The Pennsylvania State University © 2007 WebRAT Web-based Role Authorization Tool (A.K.A “The RAT”) Allows authorized personnel to assign roles Uses role as template to determine what attributes to assign Demonstration

The Pennsylvania State University © 2007 protected.personal.psu.edu Problem –The web server, is open to the world. It does not have a mechanism by which an average user can control access to his/her content. Technically inclined users can set.htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on Solution – is a future service that will solve this problemhttps://protected.personal.psu.edu/ –Access can be controlled using any combination of Access and FPS Accounts, groups and roles

The Pennsylvania State University © 2007 Access Control Manager A prototype of a Web-based tool that will be used to control access to content that is hosted on Demonstration

The Pennsylvania State University © 2007 Directory Authorization Control mm_mod_auth_ldap example PHP example – Demonstration

The Pennsylvania State University © 2007 ITS Web Service Changes facelifthttp:// Install mm_mod_auth_ldap on more servers –E.g. PASS Migration –ACL Explorer redo – may have a protected versionhttp://blogs.psu.edu/ Demonstration

The Pennsylvania State University © 2007 Resources Apply for Web space –Individual: –Course: –Departmental: –Student Org: Apply for User Managed Group (explicit) – Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space” Course group: Manage Services > “Create a User Managed Group for a Course” Authentication / Authorization control basics –Set UMG in ACLs: –Basic password protect: –WebAccess for Web dev:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.