Spoofing LOGON_USER
When an IIS web application has "Integrated Windows authentication" enabled and “Enable anonymous access” is disabled, the LOGON_USER server variable will contain the name of the user accessing the website.
I wasn't sure if this method is really secure. Can't the LOGON_USER server variable be modified? These are my findings -
- IE will try to authenticate the user by hashing the username and password and sending it to the server.
- The server will then compare the hashes to the user on the domain.
- If the hashes match, the user has been authenticated successfully.
Note that no passwords are passed directly. Also, because both the username and password are hashed, it's not possible to simply spoof the username. You need the password as well.
Sounds pretty secure to me.