internet information server 6 0 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet Information Server 6.0 PowerPoint Presentation
Download Presentation
Internet Information Server 6.0

Loading in 2 Seconds...

play fullscreen
1 / 31

Internet Information Server 6.0 - PowerPoint PPT Presentation


  • 159 Views
  • Uploaded on

Internet Information Server 6.0. Overview. What’s New in IIS 6.0? Built-in Accounts and IIS 6.0 IIS Pass-Through Authentication Securing Web Traffic How Microsoft Passport Works Configuration file and the .NET Framework Lab: Securing Web Application Sites in IIS 6.0 Lab Discussion

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Information Server 6.0' - lareina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • What’s New in IIS 6.0?
  • Built-in Accounts and IIS 6.0
  • IIS Pass-Through Authentication
  • Securing Web Traffic
  • How Microsoft Passport Works
  • Configuration file and the .NET Framework
  • Lab: Securing Web Application Sites in IIS 6.0
  • Lab Discussion
  • Best Practices
iis 6 architecture

Worker Process

W3 Core

Web Admin Service

web app

HTTP.SYS

IIS 6 Architecture

user

kernel

authentication scenario
Authentication Scenario

Internet

DMZ

SQL

Server

IIS 5.0

Firewall

Web Proxy

Active

Directory

Web Browser

anonymous authentication

GET dbquery.asp HTTP/1.1

SQL authenticationSELECT * FROM table

2

IIS 5.0

3

1

Anonymous Authentication

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

anonymous authentication1
Anonymous Authentication
  • Resource Access as anonyomous user (IUSR_<machinename>
  • Process identity: LocalSystem or IWAM_<machinename>
  • Anonymous user is completely configurable
  • Process identity is configurable through COM+
    • You have to trade Security versus Performance
basic authentication

GET dbquery.asp HTTP/1.1

401 Unauthorized

WWW-Authenticate: Basic realm="spoon"

4

1

Authorization:“Basic” Base64 encoded user/pw

Windows authentication

6

2

IIS 5.0

LogonUser

(“user1”, “pw”)

5

3

Basic Authentication

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

basic authentication1
Basic Authentication
  • Process identity: IWAM or LocalSystem
  • Resource access as authenticated user
  • Pros
    • Least common denominator
      • All HTTP clients support basic auth
    • Supports one hop delegation
  • Cons
    • Clear text password (Base64 Encoded)
      • Over the wire
      • On the server
      • Needs to be protected via SSL
digest authentication

GET dbquery.asp HTTP/1.1

401 Unauthorized

WWW-Authenticate: “Digest” challenge

1

4

Authorization: “Digest” response

SQL authenticationSELECT * FROM table WHERE user=‘user1’

6

2

IIS 5.0

CheckCredentials(“user1”, “digesthash”)

3

5

Digest Authentication

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

digest authentication1
Digest Authentication
  • Pros
    • No clear text password over the wire
    • Works through proxies
    • Password is not known to IIS
  • Cons
    • Medium secure
    • Internet Explorer 5 and higher
    • No delegation
    • Requires Active Directory
      • Password in AD (reversible encryption)
windows integrated authentication
Windows Integrated Authentication
  • Security Support Provider (SSPI)-based
  • NTLM or Kerberos
  • IIS asks the client what protocol it supports
  • Protocol can be enforced
    • NTAuthenticationProviders
      • Negotiate
      • NTLM
      • Kerberos
ntlm authentication

GET dbquery.asp HTTP/1.1

401 Unauthorized

WWW-Authenticate: “NTLM” challenge

1

3

Authorization: “NTLM” response

2

IIS 5.0

NTLM Authentication

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

ntlm authentication1

GET dbquery.asp HTTP/1.1

2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: NTLM

3. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {…} Connection: Keep-Alive

SQL Login / COM+SELECT * FROM table WHERE user=‘user1’

4. HTTP/1.1 401 Access DeniedWWW-Authenticate: NTLM {…}Connection: Keep-Alive

7

5. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {hashed challenge} Connection: Keep-Alive

IIS 5.0

1

Impersonate

SecurityContext

2

5

3

6

4

NTLM Authentication

SQL

Server

Active

Directory

Web Browser

ntlm authentication2
NTLM Authentication
  • Pros
    • Works out-of-the-box
    • Provides automatic logon/no logon dialog box
  • Cons
    • Enterprise only – does not work through Proxy Servers (keep-alive connection required)
    • No delegation
    • Configured to be compatible with older clients
kerberos authentication

HTTP GET dbquery.asp HTTP/1.1

2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, Kerberos

3. Kerberos Session Ticket Request

2

IIS 5.0

1

3

Kerberos Authentication

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

kerberos authentication1

HTTP GET dbquery.asp HTTP/1.1

2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, NTLM

3. Kerberos Session Ticket Request

4. Kerberos Session Ticket Response

Impersonate

SecurityContext

NT

Authentication

5. HTTP GET dbquery.asp HTTP/1.1

6

6. Delegation

IIS 5.0

1

5

2

4

3

Kerberos Authentication

SQL

Server

Active

Directory

Web Browser

kerberos authentication2
Kerberos Authentication
  • Strong, scalable, fast, supports delegation
  • Limited client support
    • Internet Explorer 5 and Windows 2000
  • Issues
    • DC has to be client accessible

Service Principal Name

      • Domain Administrator needs to be involved
    • Delegation needs to be enabled
      • Unconstrained!
  • Setup
    • Best description in “designing secure Web-based applications”
client certificate authentication handshake phase

Client Hello

Server Hello certificate, crypto parameters

1

3

Client responsecertificate, crypto parameters

Client finish

Server finish

2

IIS 5.0

5

4

Client Certificate AuthenticationHandshake phase

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

client certificate authentication iis mapping

HTTPS GET dbquery.asp HTTP/1.1

NT Authentication

5

IIS 5.0

Mapping

3

1

LogonUser( “user1” , “pw”)

4

Client Certificate AuthenticationIIS Mapping

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

client certificate authentication active directory mapping

HTTPS GET dbquery.asp HTTP/1.1

SQL Login / COM+SELECT * FROM table WHERE user=‘user1’

3

IIS 5.0

SCHANNELUPN Mapping orAD Mapping

1

2

Client Certificate AuthenticationActive Directory Mapping

SQL

Server

Firewall

Proxy

Active

Directory

Web Browser

client certificate authentication
Client Certificate Authentication
  • Pros
    • Very secure
    • Flexible
    • Integrity, confidentiality
  • Cons
    • Higher management costs for PKI
    • Usability
    • Scalability and performance
access control flow
Access Control Flow
  • Is IP address permitted?
  • Is user permitted?
    • Valid credentials
    • Account restrictions
      • Time, Lockout, Password expired, Privileges
  • Does IIS allow access?
  • Does NTFS allow access?
how microsoft passport works

The client requests a page from the host

1

The site redirects the client to Passport.com

2

The client logs on to Passport.com

3

Passport returns a cookie with ticket information

4

The client accesses the host with ticket information

5

The host returns a Web form and possibly a new cookie that it can read and write

6

1

2

3

How Microsoft Passport Works

Website.msft

Client

Passport.com

configuration files and the net framework
Configuration Files and the .NET Framework
  • The Web server has a Web.config file for ASP.NET Web application settings
  • Each ASP.NET Web application also has its own Web.config file
  • Within the Web.config file, you can control access to individual pages or the entire Web site:

<location path="ShoppingCart.aspx">

<system.web>

<authorization>

<deny users="?" />

</authorization>

</system.web>

</location>

best practices
Best Practices
  • Use Run As...never log on as an Administrator
  • Disable NetBIOS
  • Do not put Web files on C:
  • Use the highest level of authentication you can, based on the clients used
  • Always encrypt sensitive information using SSL or IPSec
  • Always use SSL when using basic authentication
  • Do not issue a request for a certificate on a production server
  • Never leave certificates on the server
  • Use the Auto Update feature
  • Use URL Scan
  • Do not install the Resource Kit on a production server