> 1. If authentication method is anon, and anon account has
> permissions to remote server, then perl script receives info. Anybody in
> the net can access all remote servers administration pages as an
> administrator.
>
> 2. NT C/R - Only selected individuals may browse to page. (good)
> IIS runs perl script with system account and remote server laughs at
unknown
> account (bad).
If it was a domain account it shouldn't laugh.
> 3. Clear text- Only selected individuals may browse to page.
> Someone in internal net (I've caught some already) runs packet
capture and
> gets root access to all servers on my network.
>
> 4. SSL ?
>
> In services applet, one may change the account used to run WWW publishing
> service. I assume changing this is bad ?
Yes
> Can apache running on NT help/ surpass this problem ?
At some point you must pass the password from the client to server -
this is always bad unless you have a secure connection. The NT C/R
method uses challenge response to avoid this but the account must exists
on the server and the client and it is only supported by IE clients (AFIK).
To be honest I always cringe at though of remote admin over http but if
you must do it and can't get cahallenge response to work then I
recommend you investigate SSL so that all data is encrypted.
Another possibility is to write a java applet to encrypt to form data
with a public key before it is submitted to the server so that if
someone is sniffing they will not be able to read the passwords.
--
Simon Oliver
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
