Results 1 to 3 of 3
  1. #1
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    austin, Texas, USA
    Posts
    1,029
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Windows Authentication - how do it work

    I am working with the IT programmers on a .NET/SQL Server 2005 (I think - could be 2000)/Win2000 Server and the suggestion on a web app is to use Windows Authentication rather than some homegrown ad hoc login/password. The response to this was a concern that using the windows network id/login would be a security risk as the IT guys here could access one's network login.

    the current system they have devised uses an initial password that the user must immediately replace with some other password, so I guess what they're doing is storing the actual password locally on the server in readable form, which doesn't strike me as a good idea...

    My understanding of windows authentication is that the network login ID and password are authenticated over the network and this means the only thing potentially stored locally would be the network login, not the password. Is this true? IOW, does Windows Authentication mean the network login is verified 'on the fly' and does not need to be stored? If so, I would think this is a better bet overall vis a vis the current password strategy being deployed.

    FWIW, the reason a login is required for our local portal is to enable security across the board in terms of screens available, info viewable etc. so there's a good buy-in to setting up password stuff. If the current strategy is used, this will mean a bit of work on our end to create login accounts etc. & I'm trying to find a solution that takes advantage of the fact that there is already a login system via the Windows network.

    I don't know much about this really except I've run a few projects (IIS/ASP Classic to limit access to a webpage and Access with VBA to sniff a network login to limit access to parts of the Access app) that did what I wanted and in no case required storing the network login locally. So, if you you've got some good info on the subject, please let me know.

    TIA

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Silver Lounger
    Join Date
    Apr 2001
    Location
    New York, New York, USA
    Posts
    2,328
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Windows Authentication - how do it work

    Answers to some of your concerns:

    "I am working with the IT programmers on a .NET/SQL Server 2005 (I think - could be 2000)/Win2000 Server and the suggestion on a web app is to use Windows Authentication rather than some homegrown ad hoc login/password. The response to this was a concern that using the windows network id/login would be a security risk as the IT guys here could access one's network login."

    If you don't trust your own IT guys, fire them! Logon as particular user may be part of their job, and if you suspect someone of unauthorized using somebody else's username and password, fire him immediately! Or advise your users to change their passwords each time they get help from Help Desk <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    "the current system they have devised uses an initial password that the user must immediately replace with some other password, so I guess what they're doing is storing the actual password locally on the server in readable form, which doesn't strike me as a good idea..."

    You are wrong. It is true, user passwords are stored in local computers and in the servers, but not in "readable", but highly encrypted form. Theoretically you can crack the encryption, but practically it can take up to couple of days of running special program to crack regular password (eight alphanumeric characters).

    "My understanding of windows authentication..."

    See Integrated Windows Authentication
    See also Security in SQL Server 2005

    Maybe it will be helpful: Implementing Row- and Cell-Level Security in Classified Databases Using SQL Server 2005

  4. #3
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    austin, Texas, USA
    Posts
    1,029
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Windows Authentication - how do it work

    thanks for your response. as to the matter of not trusting our IT people re. network logon passwords, that's something *they* brought up, as in "well, if it is stored on our SQL Server we can read it and that's a bad idea". Which means, you're wrong about the password being encrypted on the server.

    from the article on authentication was informative but we are NOT running 2005 OS's, and Active Directory is enabled only on the enterprise Exchange servers. The proposed system is an intranet web application (.NET 1.1) on SQL Server 2003. What I wanted to find out was, how does Windows Authentication work in terms of an enterprise network. My feeling was this method is easy to implement and doesn't require storing or managing login/passwords locally. According to the article this works via ASP.NET to IIS over the network using a hashed authentication string.

    But I still don't know some things I'd like to know. Where exactly does the challenge/response get handled? the broad article on authentication seems to say IIS does it. I would expect it's something sitting above the defined domain that monitors users via the windows login. which means, a domain controller or some such thing -- I don't have a lot of knowledge of enterprise system architecture here.

    The reason I'm asking all this is to understand why, in a security context, one would be better off with another damned set of user id's and passwords if Windows Authentication can work -- and, especially, if using Windows Authentication means our IT boys DONT store logins/passwords on a SQL Server.

    TIA

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •