But I am hoping to get some good advice from the experts.
I have a web application which is on a web server behind a NetScreen firewall.
The application is running on IIS. It uses an Access database. Users can log
in to the application (application level passwords stored in a table in the
database) and run queries on the data. Their results are restricted to the
users' data by virtue of the ID/password combination used to log in.
We would now like to increase the security on the application, particularly by
being able to monitor/log the users who are accessing the data. It would appear
that we have two choices: creating individual NT user accounts on the web
server and using NT C/R, or enabling validation on the firewall (which would
also involve creating/maintaining user accounts).
For purposes of security, my feeling is that we should go with validating at the
firewall. The problem is, that would require two logins to reach the
application, one at the firewall and one at the application level. We could
probably use the same user ID/PWD combinations in both places, but that seems to
defeat the purpose of the firewall (actually, these ID/PWD combinations can
currently be used by multiple users, i.e., groups).
Other issues aside, I feel that going the route of validating via NT at the web
server would require the same amount of effort, but would result in additional
exposure.
The only 'mitigating' factor I can see here for using NT security is that we
might in the future wish to provide additional applications/data via this
server. In the case where the data being provided could be segregated by user
group, we could then use NT authentication to allow access to specific data
sets.
A brief side question: Is there any real reason that application level security
is significantly less secure than other forms of authentication, i.e., would we
be just as well off if we validated the users to a database and made that
database separate from the application data, perhaps even on another machine?
Am I off base here?
I apologize if I am wasting anyone's time here, but I will truly appreciate your
input.
Regards,
Tom
Web Developer, HealthFirst
(212) 801-6214
==============================================
The opinions contained herein are mine and mine alone. I am fortunate that
HealthFirst allows me to express them to you, but they are not responsible for
what I say.
==============================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
