Techniques for securing a pure HTML site

Question

I have been tasked with securing a pure HTML website for someone, and I'm not entirely sure how to approach the problem. Here are the constraints:

1. All logins must link in with our current Active Directory domain.
2. (Optional, but desired) The solution must whitelist requests coming from inside our intranet - that is, if someone attempts to access the site from on campus, they are immediately allowed in.
3. (Optional, but desired) The solution must whitelist requests made from our hub website, regardless of whether or not they are on campus. Said hub site is secured with logins that reference our Active Directory domain, so this is essentially a request for a passthrough.

The vast majority of our user base is very non-technical, so as small a footprint with few requests for logins is nessecery.

Normally, I'd have no problem with this, but this is a pure HTML website so my options are a little limited. My current ideas:

1. Use IIS6's Directory Security to simply force Active Directory authentication. I cannot use the IP permit/deny because that check comes before anything else in the life cycle and quickly denies anything on the deny list. I cannot change this behavior.
2. Code an aspx file that resides on our hub website that pre-loads the integrated Windows security credentials for the user, automatically authenticating them to the HTML website. As far as IIS is concerned, however, these are two different websites and this sounds like bad practice at best and an imitation of a cross-site intrution attempt at worst.

I have to admit I'm stuck. Has anyone ever handled a problem like this before?

Answer 1

Assuming you are using Windows2003/IIS6 and your web server is part of your domain you can do the following:

1. Configure your website to use Integrated and/or Basic authentication to authenticate against Active Directory. Also disable anonymous access. You'll find these settings by clicking "Edit" in the "Directory Security" tab of your website in IIS Manager. You'll only need to enable Basic if your users will use a browser other than Internet Explorer. If you use Basic your should also use SSL to protect your usernames and passwords. The level of access is determined by the permissions set on the files/directories on your website's root/child directories. Any files within these directories will only be served to authenticated users.

2. To allow users on your domain to logon without a prompt you will need to configure Internet Explorer to automatically logon to sites within your intranet. You'll also need to enable Integrated authentication for your website in IIS.

3. I'm not sure if the requirements in item #3 will be met. If your hub website uses impersonation it might pass your Windows credentials to another server within your domain but I suspect not.

References:

"How to configure IIS Web site authentication in Windows Server 2003" http://support.microsoft.com/kb/324274/

"Internet Explorer May Prompt You for a Password" http://support.microsoft.com/kb/258063

"How to use security zones in Internet Explorer" http://support.microsoft.com/kb/174360/EN-US/

Answer 2

If the pure-html site is running on IIS, converting it to a .Net web app just to wrap its resources in your custom conditional forms login using the richer ASP.Net security wrappers seems like a natural enough fit. You can serve the pure HTML files out of that now-application.

This has no downside for the content maintainers that I can see.