IIS Authentication Methods

Would everyone who got a chuckle out of the alleged backdoor in Microsoft Web servers please stand up? I admit I laughed, too. I was driving to work that Friday morning when I first heard the news that a backdoor into Microsoft Web servers defiled Netscape engineers. The conversation in my carpool immediately turned to the ongoing problems between Microsoft and the Department of Justice (DOJ). We surmised that there would be a flurry of phone calls between individual states and the DOJ that morning.

However, it didn't take long before I realized that I was going to have a long and difficult morning ahead of me. As soon as I got to work, I was busy identifying which of the servers I'm responsible for actually contained the backdoor file dvwssr.dll. After the smoke cleared, the office was buzzing with which versions and add-on packages contained the DLL.

In light of this problem, I thought that this would be the perfect time to review some of the new authentication methods Windows 2000 and IIS 5.0 offer over Windows NT 4.0 and IIS 4.0. There isn't much new to report in the Anonymous and Basic authentication methods. The authentication formerly known as Windows NT Challenge/Response (also called NT LAN Manager—NTLM) is now simply called Integrated Windows authentication in IIS 5.0. This method still doesn't work across proxy servers—an ongoing source of difficulty in IIS 4.0. Microsoft alleviates that shortcoming in IIS 5.0 with two new authentication methods.

Microsoft calls the first method Digest authentication. Digest authentication requires that the IIS 5.0 server also be a Win2K domain controller. It also requires that you use Internet Explorer (IE) 5.0 as your browser. While Digest authentication is loosely based on the popular Message Digest5 (MD5) algorithm, it's intended merely as a preferable alternative to IIS's Basic authentication and the transmission of clear-text passwords. Digest authentication encrypts client-supplied passwords in compatible browsers, but it doesn't encrypt the content and data in the same way as Secure Sockets Layer (SSL). Digest authentication's encryption methods aren't as strong and impervious to attack as SSL's, but it also doesn't have the strict export restrictions. Digest authentication is well documented in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2069. Unlike Integrated Windows authentication, Digest authentication works across proxy servers and firewalls. If you are interested in setting up Digest authentication, see the Microsoft article "Setting Up Digest Authentication for Use with Internet Information Services 5.0".

The second addition to IIS 5.0 is an older standard known as Fortezza. Many government facilities and the military still use Fortezza. The National Security Agency developed and actually holds a registered trademark on the name. The standard's ancestry dates back to the Rainbow series of books released in 1983, which yielded Microsoft its orange book C2 rating for NT. Implementing Fortezza often involves smart cards and special PC cards. Microsoft and Netscape have incorporated Fortezza into some of their client/server products, including Microsoft Exchange Server, Microsoft Outlook, and Netscape Navigator.

Note that Microsoft doesn't actually provide Fortezza in Win2K. Microsoft implements Fortezza as an add-on Cryptographic Service Provider (CSP). Other companies providing Fortezza products include Mykotronx and Litronic. There is also an official Fortezza \[\] Web site.

The Fortezza specification includes a Law Enforcement Access Field (LEAF), which is somewhat controversial (as we've seen with the cross-country debate about the Clipper-chip). Note that the LEAF isn't installed into IIS until you install Fortezza, a non-Microsoft product. If you're considering using Fortezza, I encourage you beforehand to consider Bruce Schneier's comments on Fortezza in his book "Applied Cryptography: Protocols, Algorithms, and Source Code in C" (John Wiley & Sons, 1996, 593-594).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.