Reputation: 625
Can I restrict website access to specific computers?
I realize that mac addresses or machine ids aren't transferred over the internet, however, I would like to lock down our subscription-based website security so that only specific computers can register and have access to its resources.
Large organizations will subscribe to our service and will undoubtedly have more than one ip for their organization. As well, we'd like to give the ability for their qualified employees to access the website on devices outside of their physical organization (for road-trip presentations, etc.).
Is there a sure-fire way to achieve this end (beyond the username/password assigned to each account)? If not, what would be the most effective approach?
Upvotes: 2
Views: 6537
Answers (2)
Reputation: 46816
Instead of restricting access via IP, you want to use something that's actually secure.
Username and password over an HTTPS connection should at least be unsniffable, but you might want to look in to client SSL certificates. They can be configured in Apache or other web server software. If username/password authentication is not enough, this is the next (and perhaps final) step up.
UPDATE:
That said, what many application providers will do is provide a method for subscribers to implement an ACL for their accounts. You can even force people to consider their ACL before allowing them to access your services. Think of it this way:
- An account is set up in your system allowing login from anywhere. Upon creation, the ACL is UNSET.
- User logs in and is immediately directed to an ACL setup page, where they must provide either an IP address or range or subnet associated with their account. You can be clever and pre-populate things with their existing IP address or subnet, perhaps even looking things up at ARIN to see if their IP is in a network assigned to the company name on their account.
- Once the ACL is set (or they have, despite your warnings, confirmed that they want to keep their ACL open), they can access your services.
- If they try log in from elsewhere, they (and you) are notified via email (or SMS or whatever) of an attempted breach.
- If they no longer have access to their ACL-listed IPs (i.e. IP renumbering due to a new upstream Internet provider and bad planning), they can call your phone support who will validate them by other means. FAX confirmation perhaps, because that's SO secure...
A user-managed ACL is not a "sure-fire" way, but it may be sufficiently effective for your needs, and it will certainly instill a sense in your customers that you have their best interests at heart.
Upvotes: 2
Reputation: 31637
There is no sure-fire way. That's in the nature of networks. You accept data from a remote machine and you have to trust it at least to some extend.
Take the simple username/password approach. If the usename and the passwords match, you have to trust, that they where entered by the person that the username and password was intended for. This does not fundamentally change if you require more data to be send by the client.
Upvotes: 0
Related Questions
- how to restrict a user to access website on single machine in asp.net
- How to allow only certain devices to access web site
- How to limit access to web app to a specific location/computer?
- Allow only certain websites to access a PHP page
- is it possible to limit access to website to specific computer?
- Limit website access to one computer
- Allowing website access only from a specific network
- How to stick a user to use a specific PC to access our webpage?
- Limiting number of computers from which users can access ASP.NET website?
- What are the approaches to restrict the access to a group of machines in a web system?