IIS Directory Access Control
This is a discussion about IIS Directory Access Control in the Windows Networking category; Here's the deal. I'm employed by a security consulting firm, and we do penetration testing with a side of social engineering. Part of our social engineering is sending out an email to employees of the client du jour, asking them to go to a survey website and log in.
Here's the deal. I'm employed by a security consulting firm, and we do penetration testing with a side of social engineering. Part of our social engineering is sending out an email to employees of the client du jour, asking them to go to a survey website and "log in." (every person that goes to the site has used their network login, thankyouverymuch!)
The biggest headache we have with this is configuring and reconfiguring IIS for each client. We have to lock out who can access that site, as we are not allowed to disclose other clients without prior permission. So, we do access control by source IP for the main site, but we only test one company at a time.
What we would like to do is have the ability to hit several clients at once, and I see two ways. First, register different domains that look like the client's company name (more effective, not extremely expensive until you consider how many clients we have, but then you consider how much we bill...) Then just set different sites up and check the header for incoming requests.
The other option is to just do our-domain.com/client-name-here and do access control to each directory based on IP. This is the thing I'm not sure we can do though. And there's potential information leakage when someone goes to /client-1, gets the site, tries /client-2 and gets directory not found, then tries /client-3 and gets access denied. They now know that client-3 is a client of ours.
Any ideas on all this?
The biggest headache we have with this is configuring and reconfiguring IIS for each client. We have to lock out who can access that site, as we are not allowed to disclose other clients without prior permission. So, we do access control by source IP for the main site, but we only test one company at a time.
What we would like to do is have the ability to hit several clients at once, and I see two ways. First, register different domains that look like the client's company name (more effective, not extremely expensive until you consider how many clients we have, but then you consider how much we bill...) Then just set different sites up and check the header for incoming requests.
The other option is to just do our-domain.com/client-name-here and do access control to each directory based on IP. This is the thing I'm not sure we can do though. And there's potential information leakage when someone goes to /client-1, gets the site, tries /client-2 and gets directory not found, then tries /client-3 and gets access denied. They now know that client-3 is a client of ours.
Any ideas on all this?
Participate in our website and join the conversation
This subject has been archived. New comments and votes cannot be submitted.
