Using the Directory Security properties of IIS, as shown in Figure 9.12, you can designate the authentication method(s) employed for the site as well as its SSL usage parameters, and even restrict which IP addresses and domains will have access to the file resources of the site.
Administrators who assign permissions to files and directories in the file system (rather than allowing the default Everyone ”Full Control NTFS Permissions to remain ) will undoubtedly agree that proper file and directory permissioning is an extremely tedious process. After the permissions on the directories have been assigned, access control is governed by membership in NT security groups.
In large distributed environments, this process becomes even more tedious; the engineers , architects , and developers creating these solutions architectures are often dependent upon another group to bring their work into reality. Such an environment requires detailed planning, many hours in a laboratory environment, and, of course, excellent documentation.
An alternative to this is to spend time in the laboratory creating a script, which, upon completion, can be easily sent to anyone in the enterprise and executed using the procedure you refined in the lab.
When it comes to IIS, there is an extremely tight coupling between NTFS permissions and the IIS authentication method used to verify user credentials. Any developer expecting flawless implementation of their latest Web application should carefully consider creating an IIS deployment package. By combining a CACLs script with the authentication control features in ADSI, implementation of a new Web application becomes more reliable and significantly less tedious.
As shown in Figure 9.13, IIS provides a graphical user interface within the Internet Service Manager to manipulate the authentication methods used for a resource. Using the AuthAnonymous , AuthBasic , AuthNTLM , and AuthFlags properties, you can programmatically manipulate the authentication method configuration.
Using these properties, you can enable multiple authentication methods for any given resource. When anonymous access is enabled, IIS will try to use the anonymous account before attempting to use client credentials. If the anonymous account is not authorized to access the requested resource and basic authentication is enabled on the resource, IIS will prompt the user to enter a set of credentials authorized to access the resource.
Using NTLM, if the client's installation of Internet Explorer is configured to supply credentials automatically, the user's credentials will automatically be examined to determine whether they will allow access to the resource. If not, the user is prompted for a set of credentials authorized to access the resource.
Note
In environments where either Internet Explorer or Netscape Navigator (or another browser) is used, you should enable both basic and NTLM authentication methods when securing a resource to assure compatibility with all major browser types. By default, Internet Explorer will attempt to request to use NTLM authentication before prompting the user for credentials to be passed using the basic authentication method .
To find which authentication method is in place for a particular resource, use the following Visual Basic code:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Debug.Print "Authentication Methods for " & Resource.AdsPath & ":" Debug.Print "" Debug.Print "Anonymous Access:" & vbTab & vbTab & Resource.AuthAnonymous If Resource.AuthAnonymous = True Then Debug.Print vbTab & "Anonymous User Account Name:" & vbTab & vbTab & vbTab & vbTab & Resource.AnonymousUsername Debug.Print vbTab & "Anonymous User Account Password:" & vbTab & vbTab & vbTab &_ Resource.AnonymousUserPass Debug.Print vbTab & "Anonymous User Password Synchronization:" & vbTab & Resource.AnonymousPasswordSync End If Debug.Print "Basic Authentication:" & vbTab & Resource.AuthBasic If Resource.AuthBasic = True Then Debug.Print vbTab & "Default Authentication Domain: " & vbTab & vbTab & vbTab & vbTab &_ Resource.DefaultLogonDomain End If Debug.Print "NTLM Authentication:" & vbTab & Resource.AuthNTLM
To use anonymous access for a directory, you must also assign a username and password to be used to access the directory. To do this, you can modify the AnonymousUserName , AnonymousUserPass , and AnonymousPasswordSync properties, as shown in Figure 9.14.
To allow anonymous access for a given resource, use the following Visual Basic code:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableAnonymousAccess As Boolean Dim AnonUserName as String Dim AnonUserPassword as String Dim AnonPasswordSync as Boolean ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableAnonymousAccess = True AnonUserName = "Username_for_Anonymous_Access" AnonUserPassword = "Password_for_Anonymous_Access_Account" AnonPasswordSync = True Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthAnonymous = EnableAnonymousAccess Resource.AnonymousUsername = AnonUserName Resource.AnonymousUserPass = AnonUserPassword Resource.AnonymousPasswordSync = AnonPasswordSync Resource.SetInfo
If you must allow non-Microsoft browsers to view your site, you have no choice but to use basic authentication to secure the site. In this authentication method, the password is passed in clear text across the wire, making this a poor choice for any high security site unless SSL is used in conjunction with the basic authentication method.
As shown in Figure 9.15, in this authentication method, you can define the default domain used for authentication if the user does not specify the domain associated with the user account. Programmatically, the default domain is set using the DefaultLogonDomain property.
To enable basic authentication for a given resource, use the following Visual Basic code:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableBasicAuth As Boolean Dim DefaultLogonDomain as String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableBasicAuth = True DefaultLogonDomain = "Domain_Used_for_Authentication" Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthBasic= EnableBasicAuth Resource.DefaultLogonDomain = DefaultLogonDomain Resource.SetInfo
If your enterprise has chosen Internet Explorer as the browser of choice for the organization, you should implement the NTLM authentication method for all intranet sites. In addition to eliminating the need to transmit the password across the wire in clear-text, NTLM authentication also allows credentials to be presented without user intervention.
To enable the use of the NTLM authentication method for a given resource, use the following Visual Basic code:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long Dim EnableNTLMAuth As Boolean ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value EnableNTLMAuth = True Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AuthNTLM= EnableNTLMAuth Resource.SetInfo
After installing an SSL certificate using Key Manager, you can assign the key to various resources and define the client authentication behavior using programmatic methods, as shown in Figure 9.16.
Among these options, you can require that a particular site accepts requests only across a secure channel. Additionally, you can specify that all requests to a resource are restricted to 128-bit encryption.
If clients have X.509 certificates, IIS can map NT usernames to the client certificate to assure the identity of the user. To map users to X.509 certificates, you must perform this action in the MMC. Although you cannot easily map user accounts to X.509 certificates using ADSI, you can, however, specify the default behavior (accept, deny, require) of client certificates for the resource, as shown in Figure 9.17.
Using the following Visual Basic code, each SSL property for a given resource can be displayed:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Debug.Print "Require SSL:" & vbTab & vbTab & vbTab & vbTab & vbTab & vbTab & vbTab & Resource.AccessSSL Debug.Print "Require 128-bit SSL:" & vbTab & vbTab & vbTab & vbTab & vbTab & Resource.AccessSSL128 Debug.Print "Map Client Certificates to NT UserIDs:" & vbTab & vbTab & Resource.AccessSSLMapCert Debug.Print "Negotiate Client Certificates:" & vbTab & vbTab & vbTab & Resource.AccessSSLNegotiateCert Debug.Print "Require Client Certificates:" & vbTab & vbTab & vbTab & vbTab & Resource.AccessSSLRequireCert
Using the following Visual Basic code, each available SSL property is manipulated:
Dim Resource As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Resource = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Resource.AccessSSL = True Resource.AccessSSL128 = True Resource.AccessSSLMapCert = True Resource.AccessSSLNegotiateCert = True Resource.AccessSSLRequireCert = True Resource.SetInfo
To re-create the behavior of the ISM dialog box, use Table 9.5.
ISM Setting | Property Assignments |
---|---|
Require secure channel when accessing this resource | AccessSSL = True |
Require 128-bit encryption | AccessSSL128 = True |
Do not accept client certificates | AccessSSLNegotiateCert = False |
Accept certificates | AccessSSLNegotiateCert = True |
Require client certificates | AccessSSL = True AccessSSLNegotiateCert = True AccessSSLRequireCert = True |
Enable client certificate mapping | AccessSSLMapCert = True |
Using IP address restrictions, you can ensure that certain clients do not access a particular resource. To perform this task, you can configure IIS to reject all clients presenting a specific IP address in the HTTP request header if it matches the address ranges configured in the IPSecurity property, as shown in Figure 9.18.
Although you can also configure IIS to limit access by DNS domain, Microsoft strongly advises against this access control method because reverse DNS lookup is required for each request. If at all possible, this method should be avoided to eliminate the significant performance penalties incurred by these queries.
IP security requires construction of an array of IP addresses that are consequently assigned to one of the properties of the IPSecurity object listed in Table 9.6.
Property | Description |
---|---|
IPGrant | Array of IP Addresses granted access ”stored in variant array of strings in format IPAddress, Subnet Mask |
IPDeny | Array of IP Addresses denied access ”stored in variant array of strings in format IPAddress, Subnet Mask |
DomainGrant | Array of strings representing DNS domains granted access to resources |
DomainDeny | Array of strings representing DNS domains denied access to resources |
To find the current IP address and DNS domain restrictions effective for a particular site, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Set IPSecurity = Site.IPSecurity If IPSecurity.GrantByDefault Then Debug.Print "All addresses will be allowed, except as follows:" For Each Entry In IPSecurity.IPDeny If InStr(1, Entry, "255.255.255.255") Then Debug.Print vbTab & "Denied IP: " & vbTab & vbTab & Replace(Entry, ", 255.255.255.255", "") Else Debug.Print vbTab & "Denied Subnet: " & vbTab & Entry End If Next For Each Entry In IPSecurity.DomainDeny Debug.Print vbTab & "Denied Domain: " & vbTab & Entry Next Else Debug.Print "All addresses will be blocked, except as follows:" For Each Entry In IPSecurity.IPGrant If InStr(1, Entry, "255.255.255.255") Then Debug.Print vbTab & "Allowed IP: " & vbTab & vbTab & Replace(Entry, ", 255.255.255.255", "") Else Debug.Print vbTab & "Allowed Subnet: " & vbTab & Entry End If Next For Each Entry In IPSecurity.DomainGrant Debug.Print vbTab & "Allowed Domain: " & vbTab & Entry Next End If
To create a new IP address or DNS domain restriction programmatically, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim IPSecurity As Variant Dim IPAddress As String Dim IPSubnet As String Dim Domain As String Dim ActionType As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value IPAddress = "xxx.xxx.xxx.xxx" IPSubnet = "xxx.xxx.xxx.xxx" Domain = "DNS_Domain.Name" ActionType = "GRANTIP" 'ActionType = "GRANTSUBNET" 'ActionType = "GRANTDOMAIN" 'ActionType = "DENYIP" 'ActionType = "DENYSUBNET" 'ActionType = "DENYDOMAIN" Set Site = GetObject("IIS://" & ServerName & "/W3SVC/" & SiteIndex & "/ROOT") Select Case ActionType Case "GRANTIP" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False Site.IPSecurity = IPSecurity Site.SetInfo IPSecurity.IPGrant = Array(IPAddress & ", 255.255.255.255") Site.IPSecurity = IPSecurity Site.SetInfo Case "GRANTSUBNET" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False IPSecurity.IPGrant = Array(IPAddress & ", " & IPSubnet) Site.IPSecurity = IPSecurity Site.SetInfo Case "GRANTDOMAIN" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = False IPSecurity.DomainGrant = Array(Domain) Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYIP" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.IPDeny = Array(IPAddress & ", 255.255.255.255") Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYSUBNET" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.IPDeny = Array(IPAddress & ", " & IPSubnet) Site.IPSecurity = IPSecurity Site.SetInfo Case "DENYDOMAIN" Set IPSecurity = Site.IPSecurity IPSecurity.GrantByDefault = True IPSecurity.DomainDeny = Array(Domain) Site.IPSecurity = IPSecurity Site.SetInfo End Select
Note
To set a new IP address restriction, simply uncomment the desired ActionType variable assignment and verify that all associated variables have been assigned .
Top |