[ZDP] Win32Security

kamon.ayeva@bureauveritas.com kamon.ayeva@bureauveritas.com
Thu, 7 Oct 1999 15:52:31 +0200


For you guys.

Kamon

Security with Zope on Windows NT


Zope Security

Because Zope is managed through the Web, user names and passwords must be
used to assure that only authorized people can make changes to a Zope
installation. There are two main features to ensure user autorisation with
Zope : the «super manager» access, and User folders.

«Super manager» access. A special "super manager" user name and password
are defined outside
  the application in order to :

    1/ Allow authorization for the creation of normal managers of your Zope
 site.

    2/ Provide an all-powerful user that can do anything in the
application, and whose password cannot be changed through the application
user interface.

This user name and password is defined in the 'access' file located in the
Zope directory. It should be readable only by the user as which your web
server runs.

The access file, called access, consist of a single line of the form
username:password. It is created during installation using the username and
 password that you provide when prompted for it.
You may also add an optional third component to the line in the access file
 to restrict super manager access by domain.

For example, the line:

    mario:nintendoRules:*.mydomain.com

in your 'access' file will only allow super manager access to your
installation from *.mydomain.com machines. Attempts to access the system
from other domains will fail, even if the correct superuser name and
password are used.

User folders. Normal user names and passwords are defined by creating and
modifying user folders within Zope.


Zope with IIS Security

Even when setting up Zope with IIS you may want to have Zope perform both
authentication and authorization of users. For this to work, you need to
configure IIS so that it passes authentication information to Zope. Before
going through this configuration, let?s first see how authentication works
with IIS.

Background on IIS Authentication

- IIS impersonation
Impersonation is the NT facility allowing a process like IIS, to pretend,
under different situations, to be different users.  Remember that all
processes operating on a Windows NT machine run under a valid NT account
with specific access privileges. The purpose is to give that process no
more access to files and resources than the user would have.  When IIS does
 this, it is said to be impersonating that user.

- IIS authentication

The three main user authentication methods that IIS supports are :
Anonymous access, Basic Authentication, and Windows NT Challenge/Response.

Anonymous access. No information is required from the user.  By default,
when a browser requests a Web page, IIS will first try to fill the request
without authenticating the user.  To do this, IIS impersonates a special
Windows NT account, IUSR_machinename (where machinename is the name of the
IIS host computer). This is the account created during the install process
for IIS.  If IIS, impersonating the IUSR_machinename  account, can access
the requested resource, then the page is served to the anonymous user.

Basic Authentication. The user enters a name and password.  Since IIS
cannot fill the request using the IUSR_machinename account, it attempts to
authenticate and then impersonate the user so that it can determine if that
 user should have access to the requested resource.

If Basic Authentication is the only IIS authentication method enabled, IIS
requires all browser requests to have credentials ? anonymous access is not
 allowed.

Windows NT Challenge/Response. NT Challenge/Response is a protocol *only*
supported by Internet Explorer (IE).
When a Web user makes a request to the site, IE automatically sends to IIS
the user?s current NT logon account name, and IIS verifies the name against
 what is called the SAM database (Security Account Manager) in the Windows
NT registry on the IIS server. Actually, the SAM does not contain user
passwords, but instead stores password hashes, i.e. passwords that have
been encripted using the standard MD4 hashing algorithm.

IIS will use NT Challenge/Response to authenticate a Web user with *IE* if
the following are true :
- The ?Allow Anonymous? check box in the WWW properties of the Internet
Service Manager is cleared or the IUSR account doesn?t have sufficient
permissions to access the requested resource.
- Windows NT Challenge/Response is selected in the Internet Service Manager
 under WWW properties.

Setting up Security for Zope with IIS

- Allow Anonymous check box
Adding or removing the Allow Anonymous check is the best way to globally
turn on or off anonymous access for the entire Web server.

- Turn off Windows NT Challenge/Response and Basic Authentication
To do this, go to IIS Manager, right-click on the server, select Service
Properties, and deselect both Windows NT Challenge/Response' and, ?Basic
Authentication? from the Password Authentication area of the Service tabbed
 worksheet.

END