Secure content when using external preview server?

Hi!

In a teamsite-project I joined, we are checking if we can use TEAMSITE for managing (some of) the Intranet content. We already have some existing TEAMSITE projects. We are worried about security, when using an external server for the virtualization (preview) of content. All suggestions are appreciated.

THE SITUATION in production
TEAMSITE is running on Solaris, but we have the Intranet on Microsoft IIS, and users on NT4. Users on the Intranet are authenticated (browser <-> IIS, using "NT Challenge/Response"). Some content (subfolders) of the Intranet are secured, for specific groups (working via the NT Challenge/Response authentication)

THE FUTURE for content creation/...
If moving the Intranet content to TEAMSITE, we must ensure the security constraints. This involves (i) limiting write-access to all folders; (ii) limiting read access to some folders ; both within teamsite.

SOLUTION SO FAR
We are using the following setup:

Users who need to edit/review content creation, get a Solaris account, and access to TEAMSITE. We copied security groups and memberships to UNIX, to limit very precisely which users can access which folders of the content. This is working fine when accessing TEAMSITE through Webdesk, samba, or telnet.

PROBLEM
But, for previewing (virtualizing) the content, we must use another application server (IIS, many .asp files). So we have regex remapping to the IIS server.

[iwproxy_preconnect_remap]
_regex=^.*/(default/main/intranet-BR/WORKAREA/.*)$=http://iis-server/$1

Then, the IIS server gets the contents (.asp, .html, .gif...) from the TEAMSITE mounted filespace over SAMBA, generates any dynamic content, and sends it back to the teamsite proxy, and on to the browser.

The problem is that, for this to work, the account used for running IIS, has full read access over the TEAMSITE content. And this effectively bypasses all security limitations that we have set up :-(

Because, anyone who can guess the preview-URL (teamsite-server>http://teamsite-server/iw-mount/default/main/intranet-BR/WORKAREA/intranet-WA/dir/file), can see the (possibly confidential) content.

SOLUTIONS ?
Any ideas how to prevent this security breach?

- Can teamsite proxy be told to check security on content before remapping it to external server?
- Can teamsite proxy forward the user's credential to the external server, which might (??) be able to use that user's credentials for talking to the samba mount.
- I guess we could deploy content to the IIS server, and have preview happen on the IIS, but that is rather uncomfortable working process for the users!
- would it help if we were running TEAMSITE on a windows platform?
- anything else coming to mind?

Thanks! Frederik.

Find more posts tagged with

Comments

Michael

Hi Frederik,

It may not answer all your questions, but one place you can start is with this TechNote

50172 Stopping Teamsite Authenticated Users from Viewing Unauthorized Content on the TeamSite 5.5 Server
http://devnet.interwoven.com/site.fcgi/techlib/50172

By default, iwproxy allows any authenticated Teamsite user to view any file in Teamsite. This article explains how to allow the administrator to specify files for which iwproxy should verify the user's ability to read the file.

Hope this helps.

Cheers
Michael

Frederik

Hi Michael.

Thanks for pointing me to this technote. I could hit myself on the head, cause I had seen that note as part of my search before posting in the forum, but I had dismissed it as irrelevant.

Does anyone have experience with the [iwproxy_access_control_enabled] setting? Like in a situation as described in my original post?

Comment about that TechNote:
i think the example in it is messed up (after a copy/paste?). It is missing at least one regex_. The same example is used in the sp2 release notes, and doesn't have that problem there. See RN on support site: ts.552sp2.rn_18.htm

Frederik

After some experimentation (TS 5.5.2 sp3, Solaris), I can say that [iwproxy_access_control_enabled] is actually NOT the answer to our problem.

[iwproxy_access_control_enabled] only applies security to requested content that is retrieved by the internal webserver. Not if an external preview server is used (external remapping).

So, back to square one... Anyone else having this problem? anyone who solved it?

I can't believe we would be the first with an external application/preview server & confidential content ;-)

-- Frederik

awizardly

The question, is why you are allowing the external webserver to directly allow access to the teamsite store. OpenDeploy or EasyDeploy should be used to move content to the display server (IIS Apache). I am not sure that you are meant to use the store directly as a display mechanism. What you are talking about goes completely around TeamSite security mechanisms. At best you could configure the rendering webserver to have individual directory permissions applied. This can be applied with .htaccess files for apache and server configuration for IIS I believe.

Frederik

hi awizardly!. Thanks for reacting.

Perhaps you've understood my description differently, than I meant it? We are using the external webserver, not for production viewing, but for virtualization. Since the content is mostly ASP files, the TS internal webserver (apache?) can't serve these. For that reason, virtualization URLs are redirected to an ASP-aware external webserver.

I've seen this procedure mentioned and suggested at various posts..., but without the aspect of security. I'll list just a few :

. http://devnet.interwoven.com/forums/cgi-bin/showflat.pl?Cat=&Board=INTEGRATIONS_GENERAL&Number=14397 TARGET='_blank'>http://devnet.interwoven.com/forums/cgi-bin/showflat.pl?Cat=&Board=PRODUCTS_TEAMSITE&Number=14312
. http://devnet.interwoven.com/forums/cgi-bin/showflat.pl?Cat=&Board=PRODUCTS_TEMPLATING&Number=15463

So yes, we could try to do virtualization by deploying to another server also, but I think that is not the easiest, nor most common way.

Looking forward to further suggestions!

-- Frederik