Exam Essentials

Understand how to identify the key issues for designing IIS security. Pay attention to the services required, the privacy requirements for the information (meaning what forms of encryption you should use), content update issues, and the authentication methods available. You will also want to pay attention to the location of the server on the network (internal, perimeter network) and how the firewall will affect your choices of content update and authentication methods.

Remember that client certificate authentication requires SSL. Before you can map certificates to user accounts, you need to enable SSL on your web server. You will need to then generate certificates for each user and map these certificates to the Windows user accounts.

Know when to use basic, digest, integrated Windows, and Microsoft .NET Passport authentication. Basic authentication passes the user’s password as clear text, so it will require another means for encrypting the credential exchange. This method enjoys the most widespread support in browsers. Digest authentication requires Active Directory and is supported in most browsers that use HTTP 1.1. It will hash the password and send the hash over the network to be validated by the server. This option protects your password without requiring SSL or another means of encryption. Integrated Windows authentication is supported by Internet Explorer. It supports NTLM and Kerberos v5 as means of authentication. This will provide secure mechanisms for clients to authenticate within the domain. This option works best for intranets and maintains a single logon. Microsoft .NET Passport authentication provides a single logon for the Internet or between different networks. This would be appropriate for large sites on the Internet that want a single logon or to provide a single logon for multiple organizations.

Identify when you would use forms-based, certificate, or RADIUS authentication. Forms-based authentication is best used for web applications that require the use of a database, a third-party LDAP server, or even an XML file. This option provides the best integration into your website and gives you the most flexibility. Certificate authentication provides a mechanism for authenticating users that is extremely difficult to forge. Certificates are usually appropriate for partner authentication and extranets when you have a PKI in place. With RADIUS authentication, the web server allows IIS to authenticate clients against RADIUS servers. This provides for flexible sources of user accounts against which to authenticate the clients.

Understand the options for logging access to the server. You can enable protocol logging to gain the most information about traffic to the server. You may also enable auditing and use the event log to monitor resource access and exercising of rights.

Remember to install only the services that you need. You will need to determine what the applications require and install only the necessary services. You will also need to determine what extensions you will enable or prohibit for a website.

Identify what issues will occur when the content of the server is updated. You need to realize what the network infrastructure is around the web server and what effects this will have on updating content. You will need to identify requirements for security and applications.

Remember that IIS 6 supports URL authorization that will give you role-based control over resources. You can use Authentication Manager to authorize access to URLs on the website to groups or users. This is less granular than using NTFS to authorize user access to web content. This in essence supports role-based authentication to web applications.