Windows Web Solutions UPDATE--September 9, 2003
Windows & .NET Magazine Network
1. Commentary: IIS Application Authentication Security
2. Keeping Up with IIS
- Relocating Your IIS Default Installation Folders
- Find Your Next Job at Our IT Career Center
- Are You Ready for Exchange 2003?
- Featured Thread: FTP Fix
- New--Mobile & Wireless Road Show!
6. New and Improved
- Manage Projects with Free Online Tool
- Tell Us About a Hot Product and Get a T-Shirt!
7. Contact Us
- See this section for a list of ways to contact us.
==== Sponsor: HostMySite.com ====
HostMySite.com is a provider of quality, customer focused, Web hosting. Our high-tech data-center has multiple DS-3 Internet connections, generator, and UPS backups, and is the ideal place to host your Web site or dedicated server. Our 24/7/365 support staff is trained in both Windows, and Linux, and can assist you with all of your requirements. Our plans are backed by an aggressive 99.9% uptime guarantee, and start as low as $8.95 per month for shared hosting, or $129.00 per month for dedicated servers. Ask us about our E-commerce packages, or ColdFusion and SQL Server plans as well. We are always here, and happy to help. Call us at 1-877-215-HOST, or visit http://www.hostmysite.com/windot .
==== 1. Commentary: IIS Application Authentication Security ==== by Tim Huckaby, [email protected]
In today's security-hysteria era, the fact that security is such a broad topic is unfortunate. We don't have a one-stop shopping center for learning security. Even the security experts I know concentrate on only one or two major security areas or levels.
One example of a security level is physical security, in which you lock servers and networking equipment in a room to avoid common access. For example, the government has its own version of the Internet, called the Secret Internet Protocol Routing Network (SIPRNET), in which all network infrastructures, including jacks and cabling, are physically separated from public access networks.
Many security levels exist. For example, with network security, you use firewalls or routers to lock down protected resources. Software and hardware tools can then monitor network activity for suspicious activity. With OS security, you lock down access to files on a network, then grant or deny access to network resources through Group Policy. With application-component–level security, you apply permissions to one part (i.e., component) of a program so that only certain users or user groups can access that component. With application authentication security, you apply an authentication method such as Integrated Windows authentication to IIS so that users are authenticated through their Windows accounts. With authorization security, you apply ASP.NET's role-based security to define roles (e.g., administrator, manager, power user, editor, read-only) within an application. Considering all these security levels, you can understand why IT professionals make security mistakes and frequently compromise resources. You can also understand the existence of so many books dedicated to these high security levels.
Today, I want to talk about the various levels of IIS application authentication security. In IIS 5.0, five basic types of authentication schemes exist: Anonymous, Basic, Digest, Integrated Windows authentication, and Client Certificate Mapping. In IIS 6.0, Microsoft offers the same five schemes and an additional one: .NET Passport.
Anonymous authentication is enabled by default. Many people assume that authenticating anonymously means that authentication doesn't take place at all when users attach themselves to a site. In fact, when IIS applies Anonymous authentication to a site, all users are authenticated under the same anonymous, proxied account.
Basic authentication is part of the HTTP 1.0 specification. In the case of IIS, the browser prompts for a username and password. Using Base64 encoding, the browser then transmits the username and password across HTTP. Because Base64 encoding is simple to decipher, Basic authentication essentially sends the password across the wire in clear text, which is inherently insecure.
Digest authentication overcomes the primary weaknesses of Basic authentication and sends a digest--also known as a hash--instead of a password over the network. Digest authentication requires domain accounts for each user in Active Directory (AD) and supports Microsoft Internet Explorer (IE) 5.0 and later as a client.
Integrated Windows authentication--formerly know as Windows NT LAN Manager (NTLM) authentication and Windows NT Challenge/Response authentication--is enabled by default in IIS. Integrated Windows authentication can use either NTLM or Kerberos 5.0 authentication and works with IE 2.0 and later. If you use it in conjunction with Kerberos, Integrated Windows authentication enables delegation of security credentials but doesn't work through firewalls. Integrated Windows authentication is the best scheme for intranet environments that use Windows.
Client Certificate Mapping uses a client certificate and a public key. A certificate is a digitally signed statement that contains information about an entity and the entity's public key, thus binding together these two pieces of information. A trusted organization (or entity) called a Certification Authority (CA) issues the certificate after the CA verifies the entity's identity. Client Certificate Mapping provides a strong authentication mechanism, but it can't delegate security credentials, doesn't work with all browsers, and requires Secure Sockets Layer/Transport Layer Security (SSL/TLS).
Passport lets the IIS administrator map authentication against Passport accounts. This authentication mechanism provides easy access for millions of Passport users, but implementing Passport can be expensive and cumbersome. In a future commentary, I'll delve into the plumbing of the six authentication methods and broadly cover authorization. For more IIS authentication details, visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconiisauthentication.asp .
==== Sponsor: Windows & .NET Magazine Network ====
If You Like This Email Newsletter...
Then be sure to check out the Windows & .NET Magazine Network. You'll find page after page of problem-solving, time-saving articles plus other fantastic resources like our forums, Windows IT library, Download Central, and much, much more. Click here now!
==== 2. Keeping Up with IIS ====
Relocating Your IIS Default Installation Folders
Click the following URL to find out how to change the default paths and folder names for IIS:
==== 3. Announcements ====
(from Windows & .NET Magazine and its partners)
Find Your Next Job at Our IT Career Center
Check out our new online career center in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today!
Are You Ready for Exchange 2003?
With enhanced performance and security and an improved infrastructure, Exchange 2003 is poised for takeoff. Join Windows & .NET Magazine and NetIQ for this free Web seminar, and discover which migration method makes the most sense, the best security and management practices, and much more. Register today!
~~~~ Hot Release:Get Thawte's New Step-by-Step SSL Guide for MSIIS ~~~~
In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now:
==== 4. Resource ====
Featured Thread: FTP Fix
Forum member Gwiz is running FTP on his Windows 2000 Professional machine. When he connects and starts to browse in Microsoft Internet Explorer (IE) 6.0 and tries to run an .exe or .pdf file, an error page appears with Gwiz's username and part of his password. Gwiz wants to know whether he's missing a patch. To lend this forum member a helping hand, click the following URL:
==== 5. Event ====
(brought to you by Windows & .NET Magazine)
New--Mobile & Wireless Road Show!
Learn more about the wireless and mobility solutions that are available today! Register now for this free event!
==== 6. New and Improved ====
by Sue Cooper, [email protected]
Manage Projects with Free Online Tool
DeskShare released a free version of its Project Desk, a project-management Web service. After you sign up as project administrator, you can create an unlimited number of projects or tasks. You can add tasks, descriptions, and due dates. Report statistics show who is behind schedule, who is finished, and who might be overloaded with responsibilities. Administrators and team members can assign and update tasks, annotate their work, and view the progress of the project, in real time. The service sends automated email reminders about task due dates. Project Desk is free for as many as four users. To sign up, go to http://www.projectdesk.net .
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]
==== Sponsored Links ====
Free message-level Exchange recovery web seminar October 9th http://ad.doubleclick.net/clk;6098474;8214395;v?http://www.aelita.com/090103updatelink
Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html
Eliminate spam once and for all. MailFrontier Anti-Spam Gateway. http://ad.doubleclick.net/clk;6080289;8214395;q?http://altfarm.mediaplex.com/ad/ck/2848-15512-3892-1
==== 7. Contact Us ====
About the commentary -- [email protected]
About the newsletter -- [email protected]
About technical questions -- http://www.winnetmag.net/forums
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]
Manage Your Account
You are subscribed as #EmailAddr#.
To unsubscribe from this email newsletter, send an email message to mailto:#mailing:unsubemail#.
To make other changes to your email account such as change your email address, update your profile, and subscribe or unsubscribe to any of our email newsletters, simply log on to our Email Preference Center. http://www.winnetmag.com/email
Copyright 2003, Penton Media, Inc.