Simple client restriction for various sites on IIS 10?
We have multiple sites on a public-facing IIS 10 server (our dedicated server, where we have full exclusive control). We would like to restrict some of these sites to our development team, and we would like to do this as simplistically as possible. What would be a good approach?
Security requirements are "moderate" - we'd primarily like to block casual misuse. For example, a simple name/password auth where all developers use the same credentials would be ok.
Mostly the developers sit inside one of two VPN:s with known IP ranges. Two developers don't have VPN in place, but this can probably be fixed.
The sites are protected with server certs and all use HTTPS with server name indication.
We do require a solution that does not require the restriction/authentication to be built inte the applications themselves, because the sites are test sites for our web apps. This means they have various authentication mechanisms aready in place as well as public non-restricted pages. But we would still like only developers to be able to access these entire sites.
All developers have Office 365 user accounts, i.e. AzureAD accounts, except external ones, but they are guest users in our Azure DevOps service and so have an identity present there.
I looked at the IIS settings for Authentication.
Anonymous authentication is not relevant.
ASP.NET Impersonation doesn't seem to be relevant either.
Basic Authentication would be alright from the client perspective, but unless I'm missing something, this would require the app to validate the provided credentials on each request, which violates the requirement that the apps themselves should not need to handle anything regarding the site restriction.
Forms Authentication appears to have the same problem as Basic Auth.
Windows Authentication would not be applicable since access is not via an intranet (we have external developers). Or would this be applicable if we add a Windows account on the web server machine for each developer, and all of us are inside a VPN? But I am under the impression that this would also imply that the app pool would execute under that windows account's credentials, which is also a violation of "don't affect the app itself".
Digest authentication appears to have the same problem as Basic Auth.
IIS Client Certificate Authentication seems to be a viable option, but we really would like to avoid the hassle of administering client certificates, even if they were to be self signed.
I assume it would be possible to use IP address restrictions (if I add "IP and Domain Restrictions" role to the server), but this will require that all developers are always inside a VPN with known IP address range. Requires adding that to a couple of devs who currently miss that (Mac users).
Is the IP address/VPN solution best, or can you suggest something even simpler?
vpn website authentication iis restrictions
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
add a comment |
We have multiple sites on a public-facing IIS 10 server (our dedicated server, where we have full exclusive control). We would like to restrict some of these sites to our development team, and we would like to do this as simplistically as possible. What would be a good approach?
Security requirements are "moderate" - we'd primarily like to block casual misuse. For example, a simple name/password auth where all developers use the same credentials would be ok.
Mostly the developers sit inside one of two VPN:s with known IP ranges. Two developers don't have VPN in place, but this can probably be fixed.
The sites are protected with server certs and all use HTTPS with server name indication.
We do require a solution that does not require the restriction/authentication to be built inte the applications themselves, because the sites are test sites for our web apps. This means they have various authentication mechanisms aready in place as well as public non-restricted pages. But we would still like only developers to be able to access these entire sites.
All developers have Office 365 user accounts, i.e. AzureAD accounts, except external ones, but they are guest users in our Azure DevOps service and so have an identity present there.
I looked at the IIS settings for Authentication.
Anonymous authentication is not relevant.
ASP.NET Impersonation doesn't seem to be relevant either.
Basic Authentication would be alright from the client perspective, but unless I'm missing something, this would require the app to validate the provided credentials on each request, which violates the requirement that the apps themselves should not need to handle anything regarding the site restriction.
Forms Authentication appears to have the same problem as Basic Auth.
Windows Authentication would not be applicable since access is not via an intranet (we have external developers). Or would this be applicable if we add a Windows account on the web server machine for each developer, and all of us are inside a VPN? But I am under the impression that this would also imply that the app pool would execute under that windows account's credentials, which is also a violation of "don't affect the app itself".
Digest authentication appears to have the same problem as Basic Auth.
IIS Client Certificate Authentication seems to be a viable option, but we really would like to avoid the hassle of administering client certificates, even if they were to be self signed.
I assume it would be possible to use IP address restrictions (if I add "IP and Domain Restrictions" role to the server), but this will require that all developers are always inside a VPN with known IP address range. Requires adding that to a couple of devs who currently miss that (Mac users).
Is the IP address/VPN solution best, or can you suggest something even simpler?
vpn website authentication iis restrictions
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
add a comment |
We have multiple sites on a public-facing IIS 10 server (our dedicated server, where we have full exclusive control). We would like to restrict some of these sites to our development team, and we would like to do this as simplistically as possible. What would be a good approach?
Security requirements are "moderate" - we'd primarily like to block casual misuse. For example, a simple name/password auth where all developers use the same credentials would be ok.
Mostly the developers sit inside one of two VPN:s with known IP ranges. Two developers don't have VPN in place, but this can probably be fixed.
The sites are protected with server certs and all use HTTPS with server name indication.
We do require a solution that does not require the restriction/authentication to be built inte the applications themselves, because the sites are test sites for our web apps. This means they have various authentication mechanisms aready in place as well as public non-restricted pages. But we would still like only developers to be able to access these entire sites.
All developers have Office 365 user accounts, i.e. AzureAD accounts, except external ones, but they are guest users in our Azure DevOps service and so have an identity present there.
I looked at the IIS settings for Authentication.
Anonymous authentication is not relevant.
ASP.NET Impersonation doesn't seem to be relevant either.
Basic Authentication would be alright from the client perspective, but unless I'm missing something, this would require the app to validate the provided credentials on each request, which violates the requirement that the apps themselves should not need to handle anything regarding the site restriction.
Forms Authentication appears to have the same problem as Basic Auth.
Windows Authentication would not be applicable since access is not via an intranet (we have external developers). Or would this be applicable if we add a Windows account on the web server machine for each developer, and all of us are inside a VPN? But I am under the impression that this would also imply that the app pool would execute under that windows account's credentials, which is also a violation of "don't affect the app itself".
Digest authentication appears to have the same problem as Basic Auth.
IIS Client Certificate Authentication seems to be a viable option, but we really would like to avoid the hassle of administering client certificates, even if they were to be self signed.
I assume it would be possible to use IP address restrictions (if I add "IP and Domain Restrictions" role to the server), but this will require that all developers are always inside a VPN with known IP address range. Requires adding that to a couple of devs who currently miss that (Mac users).
Is the IP address/VPN solution best, or can you suggest something even simpler?
vpn website authentication iis restrictions
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
We have multiple sites on a public-facing IIS 10 server (our dedicated server, where we have full exclusive control). We would like to restrict some of these sites to our development team, and we would like to do this as simplistically as possible. What would be a good approach?
Security requirements are "moderate" - we'd primarily like to block casual misuse. For example, a simple name/password auth where all developers use the same credentials would be ok.
Mostly the developers sit inside one of two VPN:s with known IP ranges. Two developers don't have VPN in place, but this can probably be fixed.
The sites are protected with server certs and all use HTTPS with server name indication.
We do require a solution that does not require the restriction/authentication to be built inte the applications themselves, because the sites are test sites for our web apps. This means they have various authentication mechanisms aready in place as well as public non-restricted pages. But we would still like only developers to be able to access these entire sites.
All developers have Office 365 user accounts, i.e. AzureAD accounts, except external ones, but they are guest users in our Azure DevOps service and so have an identity present there.
I looked at the IIS settings for Authentication.
Anonymous authentication is not relevant.
ASP.NET Impersonation doesn't seem to be relevant either.
Basic Authentication would be alright from the client perspective, but unless I'm missing something, this would require the app to validate the provided credentials on each request, which violates the requirement that the apps themselves should not need to handle anything regarding the site restriction.
Forms Authentication appears to have the same problem as Basic Auth.
Windows Authentication would not be applicable since access is not via an intranet (we have external developers). Or would this be applicable if we add a Windows account on the web server machine for each developer, and all of us are inside a VPN? But I am under the impression that this would also imply that the app pool would execute under that windows account's credentials, which is also a violation of "don't affect the app itself".
Digest authentication appears to have the same problem as Basic Auth.
IIS Client Certificate Authentication seems to be a viable option, but we really would like to avoid the hassle of administering client certificates, even if they were to be self signed.
I assume it would be possible to use IP address restrictions (if I add "IP and Domain Restrictions" role to the server), but this will require that all developers are always inside a VPN with known IP address range. Requires adding that to a couple of devs who currently miss that (Mac users).
Is the IP address/VPN solution best, or can you suggest something even simpler?
vpn website authentication iis restrictions
vpn website authentication iis restrictions
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
asked Feb 13 at 10:13
Kjell RilbeKjell Rilbe
23929
23929
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1405202%2fsimple-client-restriction-for-various-sites-on-iis-10%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1405202%2fsimple-client-restriction-for-various-sites-on-iis-10%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
