This time, Joe Developer is building a web application for the company intranet. Most of the site is available to anonymous users, but one directory - the adminPages directory, should only be accessible to users in the machine's local administrators group. Joe added the following to the bottom of his web.config, and is feeling pretty secure.
Should Joe be worried?
Comments
It should be deny users="*"
any one that is authenticate will get access to adminPages he should change to:
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
Every rule gets evaluated in order and only if there is a match the rule will get applied and no further rules will get evaluated.
Since only BUILYIN\Administrators and ? are address, a random authorized user will fall thorug the rules and default to getting access.
To achieve what was set the second rule should be deny users="*"
Replace "?" with "*".
The following needs to be added underneath the <deny...> element:
<deny users="*" />
I'd try using the following in the web.config that resides in the "adminPages" directory.
<configuration>
<system.web>
<authorization>
<allow roles="BUILTIN\Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
<deny users="*" />
to prevent other authenticated users.
@Tyrone: Since this is an intranet app, presumably someone can login on another machine with domain credentials that give them admin access on this box.
Looks like I misread the question. I can't see how I missed the "should only be accessible to users in the machine's local administrators group" in the second sentence. Anyways, waiting for #8.