8 Replies Latest reply on Nov 6, 2012 8:10 AM by Aegis Kleais

    Making an auto-login on our Intranet; how secure is CGI.auth_user?

    Aegis Kleais Level 3

      We have CF10 on our Intranet webserver, and I'm developing the authentication system.  The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.

       

      Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')

       

      Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.

       

      My question is, how hard is it to spoof this value?  If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.

       

      I understand the risk of assuming the logged in person IS the person at the computer (we have many people who login as themselves, but let others use their PC while they are logged in, and informed these people that this is both against policy and that THEY are responsible for anything someone else does on their PC while logged in with their credentials)

        • 2. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
          Aegis Kleais Level 3

          Being of the CGI scope, I would think it is information that CF and the Web Server seems to share between each other.

           

          I just felt almost naked authenticating someone based on just a username, you know?   I need that password!  With a salt!  Hashed against 'SHA-256!'

           

          Well, if it's good enough for Dan, it's good enough for me!

          • 3. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
            BKBK Adobe Community Professional & MVP

            Aegis Kleais wrote:

             

            We have CF10 on our Intranet webserver, and I'm developing the authentication system.  The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.

             

            The most important questions on security are not based on which techniques to use. They are based on policy. Thus, if the domain trusts its users and the policy is that the intranet is just one of the resources within the domain, then there will be little need for a second layer of authentication.

            Thing is, this variable holds a value that lists the domain and username, but no password (ie, 'DOMAIN_NAME\user_name')

             

            Well, I can run CFLDAP to determine if this user exists in our active directory and is not disabled/locked, but since a password is not captured/provided, the Intranet would have to assume that 'This is good enough for you to say who you are', and auto-log them in as that user.

             

            My question is, how hard is it to spoof this value?  If someone knows the username of an admin, and can alter the system to capture their credentials as 'DOMAIN_NAME\username_of_admin' then it would log them in as an admin.

            It would be a difficult spoof. Suppose you intend on some malafide action on the intranet. You have managed to get hold of the username, DOMAIN_NAME\username_of_admin. To be able to pull off the spoof, you need to be in the domain, and have admin privileges. To have achieved that in the first place, you needed access to an admin password.  We're now down to trust.

            • 4. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
              Adam Cameron. Level 5

              BKBK wrote:

               

              Aegis Kleais wrote:

               

              We have CF10 on our Intranet webserver, and I'm developing the authentication system.  The higher ups do not want the Intranet to ask for a login, and instead to pull the user's credentials from the CGI.auth_user variable since they log into a domain before they get to the intranet.

               

              The most important questions on security are not based on which techniques to use. They are based on policy. Thus, if the domain trusts its users and the policy is that the intranet is just one of the resources within the domain, then there will be little need for a second layer of authentication.

               

              Agreed. Given it's an intranet, isn't it intrinsically only available to people already authenticated by the network OS?

               

              I can understand you wanting to identify who the person is, but the remote_user setting should be fine for that.

               

              --

              Adam

              • 5. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
                Aegis Kleais Level 3

                Well the Intranet server is on the domain and requires users to be on the same domain as well, but my initial concern wasn't with just people from outside the domain trying to break it, but those who legally have access to the Intranet trying as well.

                 

                We have a couple of technically competent persons who do not belong to the IT department, and Web Security has been a subject that has piqued my interest as of late.  It seems that CF and IIS communicate these variables internally, so it's not like reading from sources like headers that can be intercepted and adjusted mid-communication.

                 

                It sounds like the CGI.auth_user (or getAuthUser() BIF) is seemingly secured enough for my needs.  That's good to hear.

                • 6. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
                  BKBK Adobe Community Professional & MVP

                  Aegis Kleais wrote:

                   

                  We have a couple of technically competent persons who do not belong to the IT department

                  There's your mistake right there! You should have made sure all the technically competent persons belong to the IT department.

                  • 7. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
                    Adam Cameron. Level 5

                     

                     

                    We have a couple of technically competent persons who do not belong to the IT department

                    There's your mistake right there! You should have made sure all the technically competent persons belong to the IT department.

                     

                    Yeah, cos like everyone in the IT dept is usually technically competent... ;-)

                     

                    --

                    Adam

                    • 8. Re: Making an auto-login on our Intranet; how secure is CGI.auth_user?
                      Aegis Kleais Level 3

                      As nice as a thought as that is, we neither have the position opened nor the scissor sharp enough to cut through all the red tape to make that a reality