Tech News

Securing a Process Library

Home

A Process Library website is hosted through Internet Information Services (IIS), Microsoft Windows' web serving platform. The whole or parts of a Process Library can be secured using standard IIS techniques. The methods that we commonly use will be the subject of this article, but implementing security needn't be restricted to these.

Those implemented will depend on factors such as whether the server is to be accessible to clients outside of its domain.

Authentication

Anonymous authentication

When Triaster Server is installed, websites will use Anonymous authentication by default. When anyone makes a request to the website, it's not that person's user account that's accessing the website, but a specific, low-privileged user account: the 'Anonymous' user. That simplifies the permissions required on the folders and files of the Process Library.

This usually means that access to a Process Library website isn't restricted. However, multiple Process Libraries can be isolated while still using Anonymous authentication. If a Process Library is associated with a dedicated IIS site, each such site and an associated, dedicated application pool could be linked to a different, low-privileged account: the application pool's Application Pool Identity account. Permissions for that library's resources would be granted to the appropriate Application Pool Identity account, but not to those accounts associated with other libraries.

On this server, there are two Process Libraries: ProLibrary1 and ProLibrary2.

tech_1

Addresses of these libraries would be of the form:

http://prolibrary1.triaster.co.uk/ProcessLibraries%202011/ProLibrary1
http://prolibrary2.triaster.co.uk/ProcessLibraries%202011/ProLibrary2

The security methods used would mean that trying to access a process library through the wrong site would fail.

http://prolibrary1.triaster.co.uk/ProcessLibraries%202011/ProLibrary2
http://prolibrary2.triaster.co.uk/ProcessLibraries%202011/ProLibrary1

This method of isolation is probably most applicable to Process Libraries that are meant to be accessible from outside of the domain in which the server resides, as Windows authentication is likely to be simpler and more secure within a domain.

Basic authentication

Basic authentication challenges a user to log on before serving any website content. Credentials are transmitted in clear text, so Basic authentication should be used in conjunction with SSL to encrypt traffic, particularly if a website is accessed over the Internet.

It can be an irritation to have to log on to access a website, so this method of authentication would be employed if there isn't an obvious alternative. It could be applied to specific parts of a website, restricting access to some content, whereas the majority of the library may be generally accessible.

Windows authentication

This is probably the favoured method for securing a library that's only available within a local area network. File permissions can be assigned to parts of the library in the same way as any other file system.

Authentication is transparent, so a user isn't challenged if he or she has suitable permissions.

File Permissions

Authentication methods work in conjunction with file permissions to implement security. File permissions are described in an article on our Knowledge Base.

'Triaster Server 2011 - Folder and File Permissions'
http://tinyurl.com/Tri-Permissions

IP Address Restrictions

IP address restrictions can be applied in addition to these authentication methods. This technique is commonly used to restrict access to an 'allowed' list of addresses. Any requests associated with other IP addresses would be denied.

Scope

These configurations can be made at any level in the tree: at server level, site level, library level, etc., enabling granular application of security.

Summary

This has been an overview of some of the techniques that we have used to secure Process Libraries. Perhaps the main points of emphasis are:

  • These have been standard features of IIS, employing perhaps a combination of techniques.
  • Security can be applied selectively, as well as to whole libraries or the server itself.

Register to receive product release notifications

SIGN UP FOR CONNECTOR

Sign up for Connector
Industry best practice and knowledge in our ‘best of breed’ newsletter.
Published bi-annually.

Signup here