Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP."— Presentation transcript:

1 Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP

2 Agenda Internet Explorer Security Internet Explorer Security Internet Information Systems Security Internet Information Systems Security Secure Case Studies Secure Case Studies Questions? Questions? The purpose of this talk is to provoke thought and show you what is possible.

3 Basic Security Principles Security covers: Security covers:  Authentication  Access Control  Privacy  Data Integrity  Monitoring  Non-repudiation

4 Internet Explorer Security

5 Security Features of IE4 SSL SSL Zones Zones Java ™ Sandbox Java ™ Sandbox AuthentiCode ™ 2.0 AuthentiCode ™ 2.0 Cookie/ warnings Cookie/ warnings

6 Secure Sockets Layer 3.0 SSL provides secure communication between a client and server by using: SSL provides secure communication between a client and server by using:  Server and (optionally) client certificates (authentication)  Symmetric key cryptography (bulk encryption)  Public key cryptography (transferring session keys)  Message Digests (integrity)

7 Internet Explorer 4.0 Uses SSL to provide support for the HTTPS protocol Uses SSL to provide support for the HTTPS protocol  HTTP over SSL Internet Explorer can store: Internet Explorer can store:  Certificate authority root certificates  Client certificates  If a server requires a client certificate and you have more than one, IE will ask you which one you want to use

8 Internet Explorer 4.0 Innovation: Security Zones Goals: convenience, protection, and manageability Goals: convenience, protection, and manageability  Avoid multiple messages to user, authorization fatigue  Protect against risk when browsing untrusted sites  Administration support Solution: security zones Solution: security zones  Divide Web space into multiple security zones,  Administrator or user to set security policy

9 Security Zones Overview Includes 4 default zones Includes 4 default zones  Internet  Local Intranet  Trusted Web sites  Restricted sites Sites can be added to existing Zones Sites can be added to existing Zones Simplified settings Simplified settings  High/Medium/Low Custom settings allowed Custom settings allowed

10 Configuring Zones Access to files, ActiveX ™ Controls, and scripts Access to files, ActiveX ™ Controls, and scripts The level of capabilities given to Java applets The level of capabilities given to Java applets Whether sites must be identified with SSL authentication Whether sites must be identified with SSL authentication Form submission protection Form submission protection Password protection Password protection

11 Capabilities-based security: Increasing Java’s Horsepower Safely Java Applet/Component sandboxing Java Applet/Component sandboxing Digital Signing of all components Digital Signing of all components Granular capabilities Granular capabilities Integration with Zones Integration with Zones Simplified user model: Simplified user model:  Low trust: Applet-level capabilities; limited scratch space  Medium Trust: user directed file I/O; printing  High Trust: Full read/write execute; full native code access; flexibile net/subnet permissions

12 Using ActiveX controls with Zones For the web to be a viable application platform, need components with special access For the web to be a viable application platform, need components with special access Use zones to differentiate capabilities Use zones to differentiate capabilities Differentiate between “Safe for Scripting” and “Unsafe for Scripting” Differentiate between “Safe for Scripting” and “Unsafe for Scripting”

13 Authenticode 2.0 Second Generation code authentication Second Generation code authentication  Digital Signing New support for Time stamping New support for Time stamping New capabilities for certificate revocation now enabled New capabilities for certificate revocation now enabled Built in to IE 4.0 Built in to IE 4.0

14 Internet Information Server Security

15 WWW Service Security Authentication Authentication  Anonymous  Basic  Password authenticated Windows NT ® user access  SSL 3.0 Client Certificates  Custom

16 Authentication Models Anonymous Anonymous  Map onto IUSR_machinename account  Guest account Basic Basic  Base64 encoded password/username NTLM NTLM  Uses Windows NT network authentication  No password

17 IIS4 and SSL IIS supports SSL IIS supports SSL  And hence HTTPS IIS supports client authentication certificates IIS supports client authentication certificates  client certificates can be used to validate users and optionally map them onto Windows NT accounts SSL support in IIS is incredibly flexible and granular SSL support in IIS is incredibly flexible and granular

18 IIS Security Settings Anonymous No SSL In-process Internet NTLM No SSL In-process Intranet Client Cert SSL In-process Extranet Anonymous No SSL Out-of-process Internet Anonymous SSL In-process Secure Internet NTLM No SSL In-process Admin-Intranet

19 From Soup to Nuts Some Examples

20 Each Example Start with a base and consider: Start with a base and consider:  Authentication  Access Control  Privacy  Data Integrity  Monitoring  Non-repudiation Give report card on each! Give report card on each!

21 A Simple Scenario Intranet Intranet Using Windows NT Using Windows NT  Therefore using NTLM authentication  Very secure authentication  Requires no extra work in Internet Explorer  Set Requires Windows NT Challenge Response in Internet Information Server

22 A Simple Scenario Report Card Report Card  Authentication (very good)  Access Control (very good, use ACLs)  Privacy (poor)  Data Integrity (poor)  Monitoring (good, use Logging)  Non-repudiation (very poor)

23 A Simple Scenario To strengthen the simple scenario To strengthen the simple scenario  Use SSL  Requires Server Certificate New Report card New Report card  Privacy (very good to excellent)  Data Integrity (excellent)

24 An Internet Scenario Various Clients Various Clients Using Firewall Using Firewall Report Card Report Card  Authentication (poor to good)  Access Control (very good, use ACLs)  Privacy (poor)  Data Integrity (poor)  Monitoring (good, use Logging)  Non-repudiation (very poor)

25 An Internet Scenario To strengthen the simple scenario To strengthen the simple scenario  Use SSL  Requires Server Certificate  Use Basic auth over SSL New Report card New Report card  Privacy (very good to excellent)  Data Integrity (excellent)

26 An Internet Scenario To strengthen the scenario more To strengthen the scenario more  Require client certificates New Report card New Report card  Privacy (very good to excellent)  Data Integrity (excellent)  Non-Repudiation (fair) Overhead in issuing client certs Overhead in issuing client certs Great Extranet solution when used with Certificate Server Great Extranet solution when used with Certificate Server

27 Certificate Server 1.0 Creates x.509 v3 certificates Creates x.509 v3 certificates  Internet Explorer  Internet Information Server  Outlook Express  Navigator  Enterprise Server

Download ppt "Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP."

Similar presentations

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.

Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Identity and Access Management

Identity and Access Management
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google