Making an auto-login on our Intranet; how secure is CGI.auth_user?

Report · Nov 05, 2012

We have CF10 on our Intranet webserver, and I'm developing the authentication system. The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.

Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')

Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.

My question is, how hard is it to spoof this value? If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.

I understand the risk of assuming the logged in person IS the person at the computer (we have many people who login as themselves, but let others use their PC while they are logged in, and informed these people that this is both against policy and that THEY are responsible for anything someone else does on their PC while logged in with their credentials)

Report · Nov 05, 2012

It's secure enough for us to do it.

In Response To Dan_Bracuk · Nov 05, 2012

Being of the CGI scope, I would think it is information that CF and the Web Server seems to share between each other.

I just felt almost naked authenticating someone based on just a username, you know? I need that password! With a salt! Hashed against 'SHA-256!'

Well, if it's good enough for Dan, it's good enough for me!

Report · Nov 06, 2012

Aegis Kleais wrote:
We have CF10 on our Intranet webserver, and I'm developing the authentication system. The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.

The most important questions on security are not based on which techniques to use. They are based on policy. Thus, if the domain trusts its users and the policy is that the intranet is just one of the resources within the domain, then there will be little need for a second layer of authentication.

Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')
Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.
My question is, how hard is it to spoof this value? If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.

It would be a difficult spoof. Suppose you intend on some malafide action on the intranet. You have managed to get hold of the username, DOMAIN_NAME\username_of_admin. To be able to pull off the spoof, you need to be in the domain, and have admin privileges. To have achieved that in the first place, you needed access to an admin password. We're now down to trust.

In Response To BKBK · Nov 06, 2012

BKBK wrote:
Aegis Kleais wrote:
We have CF10 on our Intranet webserver, and I'm developing the authentication system. The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.
The most important questions on security are not based on which techniques to use. They are based on policy. Thus, if the domain trusts its users and the policy is that the intranet is just one of the resources within the domain, then there will be little need for a second layer of authentication.

Agreed. Given it's an intranet, isn't it intrinsically only available to people already authenticated by the network OS?

I can understand you wanting to identify who the person is, but the remote_user setting should be fine for that.

--

Adam

In Response To Adam Cameron. · Nov 06, 2012

Well the Intranet server is on the domain and requires users to be on the same domain as well, but my initial concern wasn't with just people from outside the domain trying to break it, but those who legally have access to the Intranet trying as well.

We have a couple of technically competent persons who do not belong to the IT department, and Web Security has been a subject that has piqued my interest as of late. It seems that CF and IIS communicate these variables internally, so it's not like reading from sources like headers that can be intercepted and adjusted mid-communication.

It sounds like the CGI.auth_user (or getAuthUser() BIF) is seemingly secured enough for my needs. That's good to hear.

In Response To Aegis_Kleais · Nov 06, 2012

Aegis Kleais wrote:
We have a couple of technically competent persons who do not belong to the IT department

There's your mistake right there! You should have made sure all the technically competent persons belong to the IT department.

In Response To BKBK · Nov 06, 2012

We have a couple of technically competent persons who do not belong to the IT department
There's your mistake right there! You should have made sure all the technically competent persons belong to the IT department.

Yeah, cos like everyone in the IT dept is usually technically competent... 😉

--

Adam

In Response To BKBK · Nov 06, 2012

As nice as a thought as that is, we neither have the position opened nor the scissor sharp enough to cut through all the red tape to make that a reality

Adobe Community

Making an auto-login on our Intranet; how secure is CGI.auth_user?