per missions

Download Per Missions

Post on 03-Dec-2014

130 views

Category:

Documents

5 download

Embed Size (px)

TRANSCRIPT

FreeProxy Internet SuiteWorking with Permissions

DocumentVersion1.0,24May2007 AppliestoFreeproxyInternetSuiteV3.9build1632orlater

FreeProxyInternetSuite:WorkingwithPermissions

Contents1 2 3 Purpose .................................................................................................................................................................1 Permissions,ResourcesandAuthenticationOverview .................................................................................2 UsersandGroups ................................................................................................................................................3 3.1 BuiltinGroups ..............................................................................................................................................3 3.2 Userdefinedgroups .....................................................................................................................................3 Authentication .....................................................................................................................................................4 4.1 IsAuthenticationNecessary? .....................................................................................................................4 4.2 WhichAuthenticationMethod? .................................................................................................................4 Resources ..............................................................................................................................................................6 5.1 Resourceattributes........................................................................................................................................6 5.2 HTTPProxyResourceTypes.......................................................................................................................6 5.3 Usingwildcards.............................................................................................................................................8 Permissionprocess ..............................................................................................................................................9 6.1 Howtheprocessworks ................................................................................................................................9 6.2 Theorderofprocessing................................................................................................................................9 6.3 Processinglogic .............................................................................................................................................9 6.4 CheckResourcesFunction .........................................................................................................................10 6.5 Checkpermissionsfunction.......................................................................................................................11 Examplesandapplications...............................................................................................................................12 7.1 Limitingaccesstoalluserstocertainsites ..............................................................................................12 7.2 Limitingaccesstoallsiteswithexceptions .............................................................................................12 7.3 ForcinguserstoauthenticateFreeProxyUsers ....................................................................................13 7.4 ForcinguserstoauthenticateWindowsUsers .....................................................................................13 7.5 WorkingwithWindowsGroups...............................................................................................................14 7.6 Providingdifferentlevelsofaccess ..........................................................................................................14 7.7 RestrictingaccessbasedonIPaddress.....................................................................................................16 7.8 Restrictingusersfromsharingcredentials ..............................................................................................17 7.9 OtherresourcetypesforHTTPProxy......................................................................................................17 Appendix:SOCKS .............................................................................................................................................19 8.1 AuthenticationMethods.............................................................................................................................19 8.2 Socksprotocol..............................................................................................................................................19 8.3 SOCKSresourcepermissions ....................................................................................................................19

4

5

6

7

8

V1.0,24May2007

Pagei

FreeProxyInternetSuite:WorkingwithPermissions

Change History Version 1 Date 24May2007 Who GregRobsonGarth Comment Initialversion

V1.0,24May2007

Pageii

FreeProxyInternetSuite:WorkingwithPermissions

1

Purpose

Theabilitytocontrolaccesstotheinternetiscrucialforanumberofreasons.Thefirstisareductionin internetcostsbypreventingunnecessarydownloads,thesecondistoenableyou,theSystems Administrator,toimplementyourcompanyssecuritypolicyandthirdlyitistohelppreventunwanted accesstoanimportantresourcebothfromwithinyourintranetandfromtheoutside. ThepurposeofthisguideistoexplainhowtocontrolaccesstotheservicesprovidedbytheFreeProxy InternetSuite(FIS).Anunderstandingoftheterminologyandconceptswillallowyoutoimplement rigorousandpreciseaccesspermissions. ThisdocumentfocusesonHTTPauthentication.

V1.0,24May2007

Page1

FreeProxyInternetSuite:WorkingwithPermissions

2

Permissions, Resources and Authentication Overview

Beforestarting,youshouldbefamiliarwiththeterminologyusedintheFreeProxyInternetSuite. Authentication:Authenticationistheprocessofensuringthattheuseridandpasswordyouareusingis valid.ForHTTP,thecontextforauthenticationisusuallyadomain.IfyouauthenticateusingNTLM,then thecontextisaWindowsdomain.IfauthenticatingusingBasicorDigest,thenyoucannamethedomain. Inthecaseofotherprotocols,thenauthenticationwillnormallyoccurbysimplyvalidatingthatyouruser idandpasswordisvalid.Untilsuchtimeasauserdoesauthenticatetheyaregivenasubstituteuseridof DefaultUser. Resources:Aresourceissomethingoverwhichyoucanexertcontrol.Forexample,accesstotheHTTP proxyisaresource,accesstoaparticularURLisaresource.Alltheseresourcesprovidesomeservice totheenduser.Foreachoftheseresources,youcancontrolwhousestheresourceandthetimesduring whichtheycanbeused. ResourcePermission:Apermissionisthegrantingofarightofaccesstoaparticularuser,foraccesstoa particularresourceataparticulartime.Theusermayormaynotbeauthenticated.Inthisdocumentand otherFreeProxydocumentationthisisknownaseitheraResourcePermission(permissiontoforauserto accessaparticularresource)orsimplyaPermission.

V1.0,24May2007

Page2

FreeProxyInternetSuite:WorkingwithPermissions

3

Users and Groups

UserscanbespecifiedinFISortheycanbereferencedfromaWindowsDomaincontroller.ForallHTTP relatedoperations,theusermustbeamemberofagroup.

3.1 Built in GroupsBuiltingroupsaredefinedinFISandcannotbechanged.Thereare2builtingroups: AllUsers:AllusersincludingtheJohnDoeofusersDefaultUser,areamemberofthisgroup. WindowsUsers:Membersofthisgroupareuserswhichhavealreadysuccessfullyauthenticatedwitha windowsdomaincontrollerorActiveDirectory.

3.2 User defined groupsAllofthepermissionsettingisdonewithgroupsandnotusers.Thereare2typesofuserdefinedgroups. FreeProxyGroups:YoucandefineagroupinFreeProxyandgiveitaname.Thisgroupwouldonlybe knownwithintheconfinesofFreeProxy.Userscanbeassignedtothegroupsandthenthegroupcanbe usedtospecifywhohaspermissiontoaccessaresource. WindowsGroups:IfyoualreadyhaveanestablishedWindowsDomainwithawindowsdomain controllerorActiveDirectory,youcanimportthegroupintoFIS.Thisdoesnotactuallyimportthe usersintoFreeProxybutratherregistersthegroupnameasoneoftheavailablegroupsyoucanuseto assigntoaresourcepermission.WhentheFreeProxyserverprogramruns,itwillimporttheusersbefore startingandagainatregularintervals.Youspecifytheintervalwhenimportingthegroup.

V1.0,24May2007

Page3

FreeProxyInternetSuite:WorkingwithPermissions

4

Authentication

4.1 Is Authentication Necessary ?Untilsuchtimeasthewebserviceorproxy(eg:FreeProxy)requestsusercredentials,theonlyidentifying informationassociatedwithyourHTTPmessageisyourIPaddress;andthismaybesufficientforan internalnetworkwhereallaccessisthesameforeveryone.Youcanstilllockoutundesirablewebsitesbut doingsolocksouteveryonewithoutdiscrimination.Youalsocannotreportonindividualaccessand usageunlessyoucanmapanIPaddresstoauser. Soinanswertothequestion,isauthenticationnecessary?,itdependsonwhetheryouneeduser informationornot,or,whetheryouneedtograntspecificaccessrightstospecificindividuals.Ifyou dont,thenauthenticationisnotnecessaryandallusersarenamedDefaultUsers.Ifyoudo,thenitis.

4.2 Which Authentication Method ?Therearecurrently3authenticationmethodsavailableinFreeProxy. Basic Digest NTLM InFreeProxyyoucanselectanyoneoracombinationofauthenticationmethods.Theclientwillbeoffered yourselectionanditwillbeuptotheclienttoselecttheoneitwantstouse.Ifyouonlywanttoprovide onechoiceonlycheckoneoftheoptions. Note:selectinganauthenticationmethoddoesnotforceauthenticationtooccur.Thisisdone whenspecifyingResourcePermissions.Itsquitepossibletoallowsomeresourcestobeaccessed withoutauthenticationandtoforceauthenticationtoaccesst