1

Please provide your suggestions on how to restrict a user login to a specific machine for an ASP.net Website.

In other words, the requirement is deploy a simple yet effective 2 factor authentication.

The aim is allow access to employees only from the company workstations. This should be applicable to all company branches and authenticated from a central server application.

After a lot of searching and scrolling the WWW, i am left pondering upon these 2 solutions:

  1. Microsoft Client Side Certificates
  2. RSA SecurID

Please provide your valuable suggestions on CON's of these methods OR better alternatives.

Improve this question
4
  • So the website is meant to be public but employees should only be allowed to access it internally? Commented Jan 19, 2012 at 19:12
  • I posted a similar question at Security.Stackexchange - security.stackexchange.com/questions/10835/… Commented Jan 19, 2012 at 19:35
  • @Icarus, the website is to be accessed by the employees (only) through their respective machines. Commented Jan 19, 2012 at 19:36
  • Question Guy: I am trying to achieve same thing. I am considering Microsoft Client Side Certificates. If you have found any useful resource on how to configure and use it, please share. Or, Suggest me if you have found another better alternative.... Commented Feb 18, 2014 at 6:02

2 Answers 2

Reset to default
1

See this question from earlier to today about how to determine whether they're on the LAN: How can I get information about the users network when he tries to authenticate towards my IIS?

Go with your routing information. If you only allow access from your internal system addresses that should meet your goals. It seems to me that the two links you posted are extra authentication factors that could be bolted on top of this.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

@JeffFedland - What about company branches across the globe ? They don't have static IP addresses.
@JeffFedland - Would i wrong to ask that the application be required to be instaled on local LAN's of each branch to filter by IP by IIS ?
@QuestionGuy Do they not have a VPN connection between outlying offices? If they do, all the request addresses will appear internal. If they don't, I cry shame.
@JeffFedland - VPN's restrict the logins to within the network, but the requirement is to restrict to Per-User-Per-Machine. Which means, i can only login through my machine and you through only yours.
And IP addresses can be spoofed by a malicious user connecting to the network.
0

Easier and cheaper solution is to restrict access by IP address. I assume the company's workstations all have internal IP addresses, is that not the case?

You can get the client's IP address (looking at the request headers) and in conjunction with the username (i.e. it's an employee username or not?) determine whether he/she can access the website from where she's logging in.

Improve this answer

5 Comments

Yes, the company workstations have domains and forests, but couldn't a malicious user spoof the IP address to sneak in ?
@QuestionGuy IP Spoofing is not an easy attack; it requires some sort of triangulation for it to work since once the server responds to the request, it will send it back to the real IP address and the attacker will need that computer to be able to forward those packets back to his real IP. How concerned should you be about a scenario like this? IP spoofing used to be very effective by launching DoS attacks using PING flooding via amplification networks, but not so much today.
Simply said, I can still set my laptop to a valid internal IP and connect to the network.
@QuestionGuy And? Isn't that allowed? If you have physical access to network and you are allowed -as a company policy- to hookup your laptop, what's the deal if you use your laptop or your workstation to access the website? You shouldn't be allowed to hookup your laptop to the internal network at all. That's why companies have "GUEST Networks" that usually run on a different network segment. The bottom line is that if you have physical access to the place, you can do whatever the hell you want if you are determined.
Its easy to setup parallel access networks on the main company's main offices, but what about branches and franchisees ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.