lookserver - Securing access to settings

Posted by Vas Mintzikos on Dec 4, 2013 11:00:00 AM

   

file_SecureLet's review the functions and settings to access useful resources with looksoftware and lookserver.

lookserver’s settings pages are used to configure lookserver (e.g. fonts, colors) as well as maintain lookserver (e.g. apply licenses and monitor license usage).These functions are typically performed during the setup phase of lookserver or only used occasionally for monitoring usage. These functions are typically only performed by an administrator.


By default, the settings pages for all the latest releases of lookserver (9.1 and 10.0) can only be accessed from the Windows server console where lookserver is installed thereby preventing remote access however the following information will guide you through configuring lookserver to allow remote users to access lookserver’s settings.

 

Roles

Access to settings is controlled via the use of roles within the web.config file located within the lookserver installation folder.

The following entries relate specifically to access control:

   <roleManager defaultProvider="NullRoleProvider" enabled="true">

     <providers>

       <clear/>

       <add name="WebSettingsRoleProvider" type="lookserver.Models.WebSettingsRoleProvider" />

       <add name="NullRoleProvider" type="lookserver.Models.NullRoleProvider" />

     </providers>

   </roleManager>

 

   <add key="NullProviderAllowsRemoteAccessToSettings" value="false"/>

 

By default lookserver will not ask for user authentication when the defaultProvider value is set to NullRoleProvider. This allows you to access the lookserver settings page from the Windows Server console where lookserver is installed (e.g. http://localhost/lookserver10/settings ).

If you wish to allow access to the settings from any remote machine (instead of just from the Windows server console) then you can set the NullProviderAllowsRemoteAccessToSettings value to true. This will revert the access to how previous lookserver versions behaved.

If you wish to turn on user-based authentication for settings then the following changes are required :

1) Access the User’s page under lookserver’s settings e.g. http://localhost/lookserver10/Settings/RoleManager
2) Add the user in the format DOMAIN\user making sure the domain name (or computer name) is uppercase
3) Once you have added each user press update to apply the changes
(refer to Figure 1).

 users

Figure 1 : Adding users


4) Open web.config and change the defaultProvider to WebSettingsRoleProvider i.e
<roleManager defaultProvider=" WebSettingsRoleProvider " enabled="true">

5) A pre-requisite of user-based authentication is having Windows authentication enabled for your lookserver instance under IIS. This may not be installed by default. Further information on installing windows authentication can be found here. Click to view

Refer to Figure 2 for enabling Windows authentication for lookserver after it has been installed.

 

authentication

Figure 2 : Enabling Windows Authentication for lookserver

 

Once your changes have been made simply restart the website (you can use the IISRESET command) and test your user-based access.

If you'd like to secure lookserver further, information on setting up SSL on the website hosting lookserver can be found here : How to set up SSL


X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X

Vas Mintzikos
Author
Vas Mintzikos
Support Manager, looksoftware

 

Topics: lookserver, looksoftware, Alison Butterill, Security