Basic Authentication | IIS 6: The Complete Reference

Basic authentication is a widely accepted means of authentication. Because all the information is presented and transmitted in clear text, it’s easy to use and makes for easy program interoperability, but the passwords can be found out faster than you can say “security risk.”

Both the web server and FTP server components in IIS support Basic authentication. Here’s how it works in IIS:

The user enters a username and password for authentication.
The web browser Base64-encodes the password and sends it to the server.
IIS verifies that the username and password are valid, and that they have access to the resources.

Pretty straightforward, eh? Since Basic authentication is built into the HTTP specification, most browsers support it, which gives Basic authentication an edge when you’re dealing with non-Microsoft browsers. You can get around the clear text password problem by using the Secure Socket Layer (SSL) protocol to encrypt all the traffic as it moves across the network.

Internet Explorer (IE) versions 2.0 and later will attempt to use Integrated Windows authentication before using Basic authentication.

Note

Base-64 refers to the system used to represent the password as a number. Other common bases are Base-10 (ordinary decimal numbers), Base-2 (binary numbers), and Base-16 (hexadecimal numbers). Base-64 encoding is detailed in RFC 1521, authored by Nathaniel Borenstein and Ned Freed. It defines a 65-character subset of the US-ASCII character set and uses 6 bits per character. The characters are uppercase and lowercase A–Z, the numbers 0–9, and the special characters + and /. The equal sign (=) is the sixty-fifth character, and it is reserved for padding at the end of data.

Basic Authentication Tokens

IIS keeps a token cache for logons using Basic authentication. When you log on to a Windows server, an access token is created with all the SIDs for all the groups of which you are a member. This token is stored in the token cache, and IIS impersonates this token when accessing objects. This cache is used so that IIS doesn’t have to authenticate you every time you access something. While this improves performance for IIS, it can be a security risk, because someone could gain access to that token in the token cache before it falls out of the cache. The default Time to Live (TTL) for a token is 900 seconds.

You can reduce this risk in two main ways:

Don’t log on using Basic authentication with any user account that has elevated rights, especially Administrator rights.
Set the UserTokenTTL setting in the registry to a lower value so that tokens expire more frequently. You can even set it to 0 so that tokens are not cached at all.

Obviously, not caching tokens causes a performance hit. You need to weigh this against the need to have Administrator accounts that access the server.

Note

The UserTokenTTL registry key is located at HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\InetInfo\Parameters\UserTokenTTL. It may not be present on your system, so you may need to add the key. As usual, editing the registry is dangerous, so be careful here.

User Accounts and Basic Authentication

To use Basic authentication, a user account must be defined on either the local machine or on a trusted domain controller. The account-based access control is all done through the NT File System (NTFS) permissions on the file system. In the Authentication And Access Control section on the Directory Security tab of the Properties window for an object in the IIS MMC (accessed by right-clicking an object in the left pane of the MMC and choosing Properties), you simply click the Edit button and specify the type of authentication to be used and the default domain (if you’re a member of a domain). You can also specify a realm, but that field doesn’t mean anything on the server end— it simply displays that value to the client when the logon box pops up.