1 / 31

Internet Information Server 6.0

Internet Information Server 6.0. Overview. What’s New in IIS 6.0? Built-in Accounts and IIS 6.0 IIS Pass-Through Authentication Securing Web Traffic How Microsoft Passport Works Configuration file and the .NET Framework Lab: Securing Web Application Sites in IIS 6.0 Lab Discussion

lareina
Download Presentation

Internet Information Server 6.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Information Server 6.0

  2. Overview • What’s New in IIS 6.0? • Built-in Accounts and IIS 6.0 • IIS Pass-Through Authentication • Securing Web Traffic • How Microsoft Passport Works • Configuration file and the .NET Framework • Lab: Securing Web Application Sites in IIS 6.0 • Lab Discussion • Best Practices

  3. Worker Process W3 Core Web Admin Service web app HTTP.SYS IIS 6 Architecture user kernel

  4. Choosing an Isolation Mode

  5. What’s New in IIS 6.0?

  6. Built-in Accounts and IIS 6.0

  7. Authentication Scenario Internet DMZ SQL Server IIS 5.0 Firewall Web Proxy Active Directory Web Browser

  8. GET dbquery.asp HTTP/1.1 SQL authenticationSELECT * FROM table 2 IIS 5.0 3 1 Anonymous Authentication SQL Server Firewall Proxy Active Directory Web Browser

  9. Anonymous Authentication • Resource Access as anonyomous user (IUSR_<machinename> • Process identity: LocalSystem or IWAM_<machinename> • Anonymous user is completely configurable • Process identity is configurable through COM+ • You have to trade Security versus Performance

  10. GET dbquery.asp HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="spoon" 4 1 Authorization:“Basic” Base64 encoded user/pw Windows authentication 6 2 IIS 5.0 LogonUser (“user1”, “pw”) 5 3 Basic Authentication SQL Server Firewall Proxy Active Directory Web Browser

  11. Basic Authentication • Process identity: IWAM or LocalSystem • Resource access as authenticated user • Pros • Least common denominator • All HTTP clients support basic auth • Supports one hop delegation • Cons • Clear text password (Base64 Encoded) • Over the wire • On the server • Needs to be protected via SSL

  12. GET dbquery.asp HTTP/1.1 401 Unauthorized WWW-Authenticate: “Digest” challenge 1 4 Authorization: “Digest” response SQL authenticationSELECT * FROM table WHERE user=‘user1’ 6 2 IIS 5.0 CheckCredentials(“user1”, “digesthash”) 3 5 Digest Authentication SQL Server Firewall Proxy Active Directory Web Browser

  13. Digest Authentication • Pros • No clear text password over the wire • Works through proxies • Password is not known to IIS • Cons • Medium secure • Internet Explorer 5 and higher • No delegation • Requires Active Directory • Password in AD (reversible encryption)

  14. Windows Integrated Authentication • Security Support Provider (SSPI)-based • NTLM or Kerberos • IIS asks the client what protocol it supports • Protocol can be enforced • NTAuthenticationProviders • Negotiate • NTLM • Kerberos

  15. GET dbquery.asp HTTP/1.1 401 Unauthorized WWW-Authenticate: “NTLM” challenge 1 3 Authorization: “NTLM” response 2 IIS 5.0 NTLM Authentication SQL Server Firewall Proxy Active Directory Web Browser

  16. GET dbquery.asp HTTP/1.1 2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: NTLM 3. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {…} Connection: Keep-Alive SQL Login / COM+SELECT * FROM table WHERE user=‘user1’ 4. HTTP/1.1 401 Access DeniedWWW-Authenticate: NTLM {…}Connection: Keep-Alive 7 5. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {hashed challenge} Connection: Keep-Alive IIS 5.0 1 Impersonate SecurityContext 2 5 3 6 4 NTLM Authentication SQL Server Active Directory Web Browser

  17. NTLM Authentication • Pros • Works out-of-the-box • Provides automatic logon/no logon dialog box • Cons • Enterprise only – does not work through Proxy Servers (keep-alive connection required) • No delegation • Configured to be compatible with older clients

  18. HTTP GET dbquery.asp HTTP/1.1 2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, Kerberos 3. Kerberos Session Ticket Request 2 IIS 5.0 1 3 Kerberos Authentication SQL Server Firewall Proxy Active Directory Web Browser

  19. HTTP GET dbquery.asp HTTP/1.1 2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, NTLM 3. Kerberos Session Ticket Request 4. Kerberos Session Ticket Response Impersonate SecurityContext NT Authentication 5. HTTP GET dbquery.asp HTTP/1.1 6 6. Delegation IIS 5.0 1 5 2 4 3 Kerberos Authentication SQL Server Active Directory Web Browser

  20. Kerberos Authentication • Strong, scalable, fast, supports delegation • Limited client support • Internet Explorer 5 and Windows 2000 • Issues • DC has to be client accessible Service Principal Name • Domain Administrator needs to be involved • Delegation needs to be enabled • Unconstrained! • Setup • Best description in “designing secure Web-based applications”

  21. Client Hello Server Hello certificate, crypto parameters 1 3 Client responsecertificate, crypto parameters Client finish Server finish 2 IIS 5.0 5 4 Client Certificate AuthenticationHandshake phase SQL Server Firewall Proxy Active Directory Web Browser

  22. HTTPS GET dbquery.asp HTTP/1.1 NT Authentication 5 IIS 5.0 Mapping 3 1 LogonUser( “user1” , “pw”) 4 Client Certificate AuthenticationIIS Mapping SQL Server Firewall Proxy Active Directory Web Browser

  23. HTTPS GET dbquery.asp HTTP/1.1 SQL Login / COM+SELECT * FROM table WHERE user=‘user1’ 3 IIS 5.0 SCHANNELUPN Mapping orAD Mapping 1 2 Client Certificate AuthenticationActive Directory Mapping SQL Server Firewall Proxy Active Directory Web Browser

  24. Client Certificate Authentication • Pros • Very secure • Flexible • Integrity, confidentiality • Cons • Higher management costs for PKI • Usability • Scalability and performance

  25. Authentication Grid

  26. Access Control Flow • Is IP address permitted? • Is user permitted? • Valid credentials • Account restrictions • Time, Lockout, Password expired, Privileges • Does IIS allow access? • Does NTFS allow access?

  27. IIS Pass-Through Authentication

  28. The client requests a page from the host 1 The site redirects the client to Passport.com 2 The client logs on to Passport.com 3 Passport returns a cookie with ticket information 4 The client accesses the host with ticket information 5 The host returns a Web form and possibly a new cookie that it can read and write 6 1 2 3 How Microsoft Passport Works Website.msft Client Passport.com

  29. Configuration Files and the .NET Framework • The Web server has a Web.config file for ASP.NET Web application settings • Each ASP.NET Web application also has its own Web.config file • Within the Web.config file, you can control access to individual pages or the entire Web site: <location path="ShoppingCart.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>

  30. Best Practices • Use Run As...never log on as an Administrator • Disable NetBIOS • Do not put Web files on C: • Use the highest level of authentication you can, based on the clients used • Always encrypt sensitive information using SSL or IPSec • Always use SSL when using basic authentication • Do not issue a request for a certificate on a production server • Never leave certificates on the server • Use the Auto Update feature • Use URL Scan • Do not install the Resource Kit on a production server

More Related