Thanks for the Quick response.
I'm currently using ASP Membership roles on my site and I'm using an
SQL server 2005 database.However the data I'm trying to protect is on
the domain host file system. I use Membership roles to limit
legitimate access requests (through web pages) to the file system,
however since I had to allow write access to some roles (for file
creation/ deletion of files), I don't know how to stop unauthoized
users/intruders from viewing/modify those files and directories.
Using the combination of "CompanyID" and the membership roles, the
VB.NET "code behind" restricts users from access to other vendors
data directories, however an unauthorized intruder would have not
those resrictions.
If you make it so the files are always served up by a page, rather than
by
http://mysite/hackme.doc, would that solve the problem?
http://mysite/trytohack.aspx?doc=hackme
Sorry, you don't have access.
I known that on a normal windows logon, the user has certain "access
rights"/priviliges that restrict his ability to perform certain tasks
or access certain directories. The logged on user also belongs to
secuirty groups ("admin","Guest", "User", etc.) that define what he is
able to do. Is there a way to programatically provide this
functionality to a WebSite and the hosting file system ?
No, because users, by default, all map to one account. you can make them
map to windows accounts, but there is no automagic tool (except perhaps
Commerce server) to create the windows accounts for you, so it is a
maintenance nightmare.
For instance when Vendor "x" logs on to the website, his Windows
security group would be changed to group "x" and Vendor "y"'ssecurity
group would be changed to group "y". Aslo the subdirectories for
these vendors,when created, would belong to the appropriate group.
These priviliges/"access rights" need to be changed using the VB.Net
"code behind" software.
Does this functionality exist with .NET?
You can create rules and use the membership bits, but to go about this
with directory security gets pretty sticky. Let's take just two vendors.
Vendor 1 has 200 customers, vendor2 has 300.
SO, now you set up directory security and file security. Initially,
vendor1 is the only one with directory access to his directory and
vendor2 with his. They both allow fileX in their directory to be served
up by their customers.
So, you now have to create windows logons for 500 additional people and
somehow map them to users.
This can be done with Commerce server quite easily, but I am not sure it
is still supported. And it does a strange proxy kind of thing.
A better solution would be to store the data in a database. A secondary
solution is have the actual file stored in the database. If you are
using SQL 2008, you can store it on the local drive with access from SQL
only, if that is what you desire. Then you can restrict based on roles.
As for a built in .NET secure files and directories and map to user
accounts in membership? There is none.
The short story is you are going to have to compromise somewhere. Either
compromise how you serve the doc, where you store the doc or work with
something like Commerce Server to serve up.
The only other way I can think of is SharePoint and using its CMS
features, but this means 100% of the customers have to be registered
users.
Peace and Grace,
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
Twitter: @gbworld
Blog:
http://gregorybeamer.spaces.live.com
My vacation and childhood cancer awareness site:
http://www.crazycancertour.com
*******************************************
| Think outside the box! |
*******************************************