Thursday, November 10, 2011

Securing Administration Section of Archive Viewer 4.0

There is a known bug with the access control of the Administration section of Archive Viewer 4.0.80.

If a user authenticates into the Administration section, and then another user, who should not have access, according to the groups allowed in the "AdminSecurity" key of the web.config, attempts to access, the credentials of the first user are used, rather than those provided by the second user.  This only appears to happen if the two logins occur within one minute of each other.

The root of this problem is that page caching is enabled on the landing page of the Admin section.  This will be addressed in our next iteration, but for now, we provide the following work-around.

This fix involves modifying the NTFS file permissions of the Admin folder of the InstantAV4 website.
  1. Log in to the server hosting InstantAV4 using an account which you will grant Admin access.
  2. Open IIS Manager, and navigate to the Admin folder of the InstantAV4 website in the side panel.  Right-click and select Edit Permissions...
  3. Click the Advanced button.  On the Advanced Settings dialog, click Change Permissions...
  4. Uncheck Include inheritable permissions from this object's parent.  When prompted with the small dialog, select Add.
  5. Add permissions for the users you want to have access to the Admin section.  Be sure to select Full Control, as this gives those users all the permissions necessary.  Be sure to give permissions to the account that you are logged into the server under!
  6. Remove permissions for other users.  Safe entries to remove include Domain Users, Administrators, Local Administrators, Local Users, etc.  
  7. Restart the webpage.
Now, when you access the Admin portal, if you provide the credentials of one of the users provisioned, you should have normal access.  Using any other account, you will be prompted for credentials, and eventually shown a HTTP 401 - Unauthorized: error page.

No comments: