Lesson 2: Web Authentication

Previous page
Table of content
Next page

Lesson 2: Web Authentication

A Web server cannot determine the identity of an Internet user. Although this is not an issue for most Internet Web sites, private areas of a Web site need a way to authenticate users. IIS supports a variety of authentication methods for this purpose. This lesson explains these authentication methods and their advantages and disadvantages.

Understanding the different authentication methods available for Web access is crucial to securing Web servers.

After this lesson, you will be able to

  • Understand IIS authentication methods

  • Enable and configure anonymous access

  • Manage IIS authentication settings

Estimated lesson time: 30 minutes

Understanding Web Authentication

IIS supports several different authentication methods, ranging from simple password-based authentication to authentication using SSL certificates.

When users connect to a Web server, the server creates a browsing session using the default Web service account, which is typically named IUSR_computername. This account is created when IIS is installed. As with all accounts, this user account is a member of the Everyone group.

When a Web browser connects to a Web server, the server creates a new thread of execution and attaches to it the access token for the IUSR_computername account. This session remains connected to the Web browser based on the browser's IP address and connecting port until the Web browser closes the session or the server destroys the thread because it is inactive (typically about 20 minutes).

When Web pages are requested by a browser, the browsing session reads the file containing the page using the user account security context just as if the user were logged on to the domain and reading files from a file server. Whenever a file is requested that the anonymous user account does not have access to, IIS checks for user credentials and creates a new thread using those credentials according to the following rules:

  • If the user's Web browser provides a certificate that is mapped to a certificate on the Web server, the user is logged on using the mapped certificate (see Lesson 3).

  • If the Web browser can provide credentials automatically using the user's computer logon information, the server automatically logs the user on using those credentials.

  • If these two methods don't succeed, the Web server requests authentication and displays a logon prompt for the user.

    You can force users to authenticate with the Web server. Change the NTFS security permissions of the Web page files so that they exclude the IUSR_computername account and the Everyone group, and include those users or groups to whom you want to grant access.

Anonymous Access

Basic, unsecured Web pages do not authenticate the user at all. This is called anonymous authentication. When IIS is first installed, it creates a user account called IUSR_computername, where computername is the name of the IIS computer. This user account is configured as a member of the Guests user group and, as with all accounts, is also a member of the Everyone group.

By changing the NTFS permissions for the IUSR_computername account or Guest group, you can control which areas anonymous users can access. You can also specify a different user account for anonymous access in the Web site's properties. This allows you to configure separate user accounts for each site and manage their permissions individually rather than by using the permissions of the Guests group.

To change the user account that will be used to represent anonymous users, open the Properties dialog box for a server, Web site, or virtual directory. Click the Directory Security tab, and then click Edit in the Anonymous Access And Authentication Control area. In the Authentication Methods dialog box, ensure that the Anonymous Access check box is selected, and click Edit to change the user account used for anonymous access. If you want to create a new account for the purpose of representing anonymous users, create the account in the Active Directory Users And Computers management console, and then assign its access properties in the authentication control properties for IIS.

If you disable the Anonymous Access option, you must configure one of the authentication methods described below, or users will be unable to access the Web site.

Basic Authentication

Basic authentication, a part of the HTTP standard, is a simple method of authentication that provides minimum security. You should use basic authentication only when security is not critical, because basic authentication requests are not encrypted. To enable basic authentication, select the Basic Authentication check box in the Authentication Methods properties for a Web site.

Basic authentication uses existing user names and passwords in a domain. When you create accounts for basic authentication, you must assign each account the Log On Locally user right.

Users can specify a domain when they authenticate. A default domain is used for users who do not specify a domain. You can specify this default domain by clicking Edit next to the Basic Authentication check box.

Basic authentication should be used only for private areas of otherwise public Web sites when the purpose for its use isn't as much to provide security as it is to restrict access, such as for members-only sites.

Basic authentication sends passwords across the network as plaintext, and it is vulnerable to network snooping. It should be used only to meet low-level security needs.

Digest Authentication

Digest authentication is an HTTP 1.1 standard that provides a more secure authentication method. In digest authentication, the client sends a one-way encryption calculated from the user name, password, and information received from the server to authenticate the user. This avoids sending plaintext passwords over the network.

Like basic authentication, digest authentication uses user names and passwords from a domain. While it is more secure than basic authentication, it requires the storage of plaintext versions of the passwords and therefore is not an ideal solution. Digest authentication is less widely supported than basic authentication by third-party Web browsers, but more widely supported than Integrated Windows authentication.

Digest authentication is appropriate for use in extranets, where Web browser requirements are easy to enforce and medium-level security is appropriate.

Integrated Windows Authentication

Integrated Windows authentication is a more secure authentication method than basic or digest authentication. It takes advantage of the security features of Windows clients and servers. If the client is currently logged on and using Microsoft Internet Explorer 2.0 or later, an authenticated connection is established without prompting the user for logon information. If the user is not logged on or is using a different browser, the server prompts for a user name and password.

Integrated Windows authentication relies on Internet Explorer and does not work over HTTP proxies. Therefore, it is best suited for use in intranets where clients are all within a domain.

Certificates

Certificate-based authentication is appropriate for extranets or members-only sites where security is a strong concern. It provides a stronger key for encryption than digest authentication and does not send passwords in plaintext that can be intercepted by hackers. It's easier to control the distribution of certificates than it is to control who might have heard a Web site password. The Secure Sockets Layer (SSL) protocol provides a way to exchange certificates over HTTP connections. It is typically used to publish a server certificate, authenticating the Web site and enabling encryption. Additionally, SSL supports client certificates, which can be used to authenticate users on a site. The SSL features of IIS are explained in Lesson 3 of this chapter.

Configuring Web Authentication

You can configure the authentication settings of IIS using the Internet Information Services management console. You can enable a single method or several methods. IIS will attempt to use the most secure method first. If the most secure method isn't available, it attempts to use a less secure method. IIS will refuse connections if the client does not support one of the available authentication methods.

To configure authentication methods, open the Properties dialog box for a server, Web site, or virtual directory. Click the Directory Security tab, and then click Edit in the Anonymous Access And Authentication Control area of the tab. This opens the Authentication Methods dialog box. In this dialog box, clear the Anonymous Access check box to require authentication for the current resource.

The bottom portion of the dialog box allows you to enable basic authentication, digest authentication, and Integrated Windows authentication. A warning about plaintext passwords will be displayed if you enable basic or digest authentication.

You can enable SSL authentication using the Secure Communications property dialog box, described in Lesson 3.

Practice: Selecting Authentication Methods

In this practice, you configure anonymous access and authentication methods for an IIS Web site. You can use the default Web site on a new installation of IIS for this practice.

Exercise 1: Configuring Anonymous Access

In this exercise, you configure and manage anonymous access for an IIS Web site.

To enable anonymous access for a site

  1. From the Administrative Tools menu, choose Internet Services Manager. The Internet Information Services management console appears.

  2. Open the server (DC01) container in the console tree, and select Default Web site. The components of the Web site are displayed.

  3. From the Action menu, choose Properties. The Web Site Properties dialog box appears.

  4. Click the Directory Security tab to display the Directory Security properties.

  5. Click Edit in the Anonymous Access And Authentication Control area. The Authentication Methods dialog box is displayed, as shown in Figure 12.6.

    figure 12-6 authentication methods dialog box

    Figure 12-6. Authentication Methods dialog box

  6. Select the Anonymous Access check box, and click OK.

  7. Click OK to close the Properties dialog box.

    This enables anonymous access to the Web site. User authentication is not used.

To change the anonymous access user account

  1. In the Internet Information Services management console, select Default Web Site in the console tree.

  2. From the Action menu, choose Properties. The Web Site Properties dialog box is displayed.

  3. Click the Directory Security tab.

  4. Click Edit in the Anonymous Access And Authentication Control area. The Authentication Methods dialog box is displayed.

  5. Click Edit in the Anonymous Access area. The Anonymous User Account dialog box is displayed.

  6. Click Browse. The Select User dialog box is displayed, as shown in Figure 12.7. This dialog box contains a list of user accounts and their associated folders.

    figure 12-7 selecting an anonymous user account

    Figure 12-7. Selecting an anonymous user account

  7. Select IUSR_DC01 from the user account list.

  8. Click OK, and then click OK in the Anonymous User Account dialog box.

  9. Click OK in the Authentication Methods dialog box, and then click OK to close the Properties dialog box.

Exercise 2: Configuring Authentication Methods

In this exercise, you select and configure IIS authentication methods to allow authorized users to access a Web site.

To select authentication methods

  1. In the Internet Information Services management console, select Default Web Site in the console tree, and choose Properties from the Action menu.

  2. Click the Directory Security tab.

  3. Click Edit in the Anonymous Access And Authentication Control area to open the Authentication Methods dialog box.

  4. Select the Digest Authentication For Windows Domain Servers check box. A warning message is displayed, indicating that digest authentication works with Windows 2000 domain accounts only and that passwords are stored as encrypted clear text.

  5. Click Yes to enable digest authentication.

    Digest Authentication is now enabled in the Authentication Methods dialog box, as shown in Figure 12.8.

    figure 12-8 digest authentication is enabled

    Figure 12-8. Digest authentication is enabled

  6. Click OK to close the Authentication Methods dialog box.

  7. Click OK to close the Properties dialog box.

    You have now enabled digest authentication.

To configure basic authentication

  1. In the Internet Information Services management console, select Default Web Site in the console tree, and choose Properties from the Action menu.

  2. Click the Directory Security tab.

  3. Click Edit in the Anonymous Access And Authentication Control area to open the Authentication Methods dialog box.

  4. Select the Basic Authentication option. A warning about plaintext passwords is displayed, as shown in Figure 12.9.

    figure 12-9 enabling basic authentication

    Figure 12-9. Enabling basic authentication

  5. Click Yes to continue.

  6. Click Edit next to the Basic Authentication check box. The Basic Authentication Domain dialog box is displayed, as shown in Figure 12.10.

    figure 12-10 selecting a basic authentication domain

    Figure 12-10. Selecting a basic authentication domain

  7. Type Domain in the Domain Name box, and click OK.

  8. Click OK to close the Authentication Methods dialog box.

  9. Click OK to close the Properties dialog box.

    You have now enabled basic authentication. If you are using a public server, you should disable basic authentication and digest authentication unless clients require them.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. Which are the two least secure authentication methods?

  2. Which authentication method uses Windows user accounts?

  3. Which authentication method supports client and server certificates?

  4. Which dialog box includes options to enable authentication methods and anonymous access?

  5. For which IIS resources can you select authentication methods?

Lesson Summary

  • You can configure anonymous access to a Web site. IIS uses a user account to access resources requested by anonymous users. You can change the user account or use different accounts for different resources, and manage the files the accounts can access with NTFS permissions.

  • Basic authentication is an HTTP 1.0 standard for simple authentication. It sends plaintext passwords over the network and is vulnerable to network interception, so it should be used only when security needs are minimal.

  • Digest authentication is an HTTP 1.1 standard that uses a one-way encryption to authenticate a user name and password. Because the password is not sent directly over the network, it is more secure than basic authentication, but it requires the storage of plaintext passwords.

  • Integrated Windows authentication uses domain user names and passwords to authenticate users. For users using Internet Explorer 2.0 or later on Windows clients logged on to the domain, Integrated Windows authentication does not prompt for a user name and password.

  • You can enable and configure these authentication methods using the Authentication Methods properties, available from the Directory Security tab in the Properties dialog box for a Web site or virtual directory.


Previous page
Table of content
Next page
MCSA(s)MCSE Self-Paced Training Kit Exam 70-214(c) Implementing and Administering in a Microsoft Windows 2[. .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
ISBN: 073561878X
EAN: 2147483647
Year: 2003
Pages: 82
Authors: Microsoft Corporation, Matthew Strebe
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Certified Ethical Hacker Exam Prep
VBScript Programmers Reference
Postfix: The Definitive Guide
Information Dashboard Design: The Effective Visual Communication of Data
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy