Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Published byMariah Marilyn Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic."— Presentation transcript:

1 Internet Information Server 6.0

2 Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic  How Microsoft Passport Works  Configuration file and the.NET Framework  Lab: Securing Web Application Sites in IIS 6.0  Lab Discussion  Best Practices

3 IIS 6 Architecture Web Admin Service Worker Process W3 Core web app HTTP.SYS kernel user

4 Choosing an Isolation Mode ModeApplications:Compatibility:Isolation: IIS 5.0 Isolation Mode Run inside Inetinfo.exe, and out-of- process applications run in separate DLL hosts Ensures compatibility for most existing applications Prevents one application or site from stopping another Worker Process Isolation Mode Run in an isolated environment Applications must be written to run as multiple instance Allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process

5 What’s New in IIS 6.0? IIS 4.0 IIS 5.0 IIS 6.0 Authentication Anonymous Basic (clear text) Windows NT Challenge / Response Integrated Digest.NET Passport Not available Available as a separate install Fully integrated

6 Built-in Accounts and IIS 6.0 AccountDescription LocalSystem  A built-in account that has a high level of access rights  Avoid assigning LocalSystem as an application pool identity Network Service  A built-in IIS account with low privileges  Interacts throughout the network with the computer account  The default application pool identity (recommended) Local Service  A built-in IIS account with lowest privileges  Connects anonymously over the network  Use for local Web applications only IIS_WPG  An IIS group account, application pool identity accounts must be a member of this group IUSR_computerna me  An IIS account for anonymous IIS access IWAM_computern ame  An IIS account for starting out-of-process applications in IIS 5.0 isolation mode ASPNET  A built-in account for running Microsoft ASP.NET worker process in IIS 5.0 isolation mode

7 InternetDMZ Authentication Scenario IIS 5.0 Web Browser Web Proxy SQLServer ActiveDirectory Firewall

8 Anonymous Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 3 SQL authentication SELECT * FROM table 2 1 GET dbquery.asp HTTP/1.1

9 Anonymous Authentication  Resource Access as anonyomous user (IUSR_  Resource Access as anonyomous user (IUSR_  Process identity: LocalSystem or IWAM_  Process identity: LocalSystem or IWAM_  Anonymous user is completely configurable  Process identity is configurable through COM+ You have to trade Security versus Performance You have to trade Security versus Performance

10 Basic Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 5 LogonUser (“user1”, “pw”) 6 Windows authentication Authorization: “Basic” Base64 encoded user/pw 4 3 401 Unauthorized WWW-Authenticate: Basic realm="spoon" 2 1 GET dbquery.asp HTTP/1.1

11 Basic Authentication  Process identity: IWAM or LocalSystem  Resource access as authenticated user  Pros Least common denominator Least common denominator All HTTP clients support basic auth All HTTP clients support basic auth Supports one hop delegation Supports one hop delegation  Cons Clear text password (Base64 Encoded) Clear text password (Base64 Encoded) Over the wire Over the wire On the server On the server Needs to be protected via SSL Needs to be protected via SSL

12 Digest Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 2 401 Unauthorized WWW-Authenticate: “Digest” challenge Authorization: “Digest” response 4 5 CheckCredentials (“user1”, “digesthash”) 6 SQL authentication SELECT * FROM table WHERE user=‘user1’ 3 1 GET dbquery.asp HTTP/1.1

13 Digest Authentication  Pros No clear text password over the wire No clear text password over the wire Works through proxies Works through proxies Password is not known to IIS Password is not known to IIS  Cons Medium secure Medium secure Internet Explorer 5 and higher Internet Explorer 5 and higher No delegation No delegation Requires Active Directory Requires Active Directory Password in AD (reversible encryption) Password in AD (reversible encryption)

14 Windows Integrated Authentication  Security Support Provider (SSPI)-based  NTLM or Kerberos  IIS asks the client what protocol it supports  Protocol can be enforced NTAuthenticationProviders NTAuthenticationProviders Negotiate Negotiate NTLM NTLM Kerberos Kerberos

15 NTLM Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 GET dbquery.asp HTTP/1.1 2 401 Unauthorized WWW-Authenticate: “NTLM” challenge Authorization: “NTLM” response 3

16 NTLM Authentication IIS 5.0 Web Browser SQLServer ActiveDirectory 1 1.GET dbquery.asp HTTP/1.1 2 2. HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM 3 3. HTTP GET dbquery.asp HTTP/1.1 Authorization: NTLM {…} Connection: Keep-Alive 4 4. HTTP/1.1 401 Access Denied WWW-Authenticate: NTLM {…}Connection: Keep-Alive 5 5. HTTP GET dbquery.asp HTTP/1.1 Authorization: NTLM {hashed challenge} Connection: Keep-Alive 6ImpersonateSecurityContext 7 SQL Login / COM+ SELECT * FROM table WHERE user=‘user1’

17 NTLM Authentication  Pros Works out-of-the-box Works out-of-the-box Provides automatic logon/no logon dialog box Provides automatic logon/no logon dialog box  Cons Enterprise only – does not work through Proxy Servers (keep-alive connection required) Enterprise only – does not work through Proxy Servers (keep-alive connection required) No delegation No delegation Configured to be compatible with older clients Configured to be compatible with older clients

18 Kerberos Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 1.HTTP GET dbquery.asp HTTP/1.1 3 3. Kerberos Session Ticket Request 2. HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate, Kerberos 2

19 Kerberos Authentication IIS 5.0 Web Browser SQLServer ActiveDirectory 1 1.HTTP GET dbquery.asp HTTP/1.1 4 4. Kerberos Session Ticket Response 5 5. HTTP GET dbquery.asp HTTP/1.1 2 2. HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate, NTLM 6 ImpersonateSecurityContextNTAuthentication 6. Delegation 3 3. Kerberos Session Ticket Request

20 Kerberos Authentication  Strong, scalable, fast, supports delegation  Limited client support Internet Explorer 5 and Windows 2000 Internet Explorer 5 and Windows 2000  Issues DC has to be client accessible DC has to be client accessible Service Principal Name Domain Administrator needs to be involved Domain Administrator needs to be involved Delegation needs to be enabled Delegation needs to be enabled Unconstrained! Unconstrained!  Setup Best description in “designing secure Web-based applications” Best description in “designing secure Web-based applications”

21 Client Certificate Authentication Handshake phase IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 Client Hello 5 Server finish 4 Client finish Client response certificate, crypto parameters 3 2 Server Hello certificate, crypto parameters

22 Client Certificate Authentication IIS Mapping IIS 5.0 Web Browser SQLServer ActiveDirectory Firewall Proxy 1 HTTPS GET dbquery.asp HTTP/1.1 4 LogonUser( “user1”, “pw”) 5 NT Authentication 3Mapping

23 Client Certificate Authentication Active Directory Mapping IIS 5.0 Web Browser SQLServer ActiveDirectory Firewall Proxy 2 SCHANNEL UPN Mapping or AD Mapping 3 SQL Login / COM+ SELECT * FROM table WHERE user=‘user1’ 1 HTTPS GET dbquery.asp HTTP/1.1

24 Client Certificate Authentication  Pros Very secure Very secure Flexible Flexible Integrity, confidentiality Integrity, confidentiality  Cons Higher management costs for PKI Higher management costs for PKI Usability Usability Scalability and performance Scalability and performance

25 Authentication Grid SchemeSecurity Limitations / Comments Client Support Scenario AnonymousNoneAllAll BasicLow Clear Text Password, use only with SSL AllAll DigestMedium IIS 5 and higher IE5 and higher in domain infrastructure All NTLMMedium Doesn’t work over proxies Internet Explorer only Only Intranet, doesn’t work with Proxies KerberosHigh IIS 5.0 and higher IE 5 on W2000 or XP in domain infrastructure Only Intranet, DC needs to be accessible by the client IIS Client Cert Mapping High PKI Management makes client certs expensive, IIS 5.0 and higher All newer browsers All AD Client Cert Mapping Very High PKI Management makes client certs expensive, IIS 5.0 and higher All newer browsers All

26 Access Control Flow 1. Is IP address permitted? 2. Is user permitted? Valid credentials Valid credentials Account restrictions Account restrictions Time, Lockout, Password expired, Privileges Time, Lockout, Password expired, Privileges 3. Does IIS allow access? 4. Does NTFS allow access?

27 IIS Pass-Through Authentication

28 How Microsoft Passport Works 1 1 2 2 3 3 The client requests a page from the host 1 1 The client logs on to Passport.com 3 3 Passport returns a cookie with ticket information 4 4 The client accesses the host with ticket information 5 5 The host returns a Web form and possibly a new cookie that it can read and write 6 6 The site redirects the client to Passport.com 2 2 Website.msft Passport.com Client

29 Configuration Files and the.NET Framework  The Web server has a Web.config file for ASP.NET Web application settings  Each ASP.NET Web application also has its own Web.config file  Within the Web.config file, you can control access to individual pages or the entire Web site:

30 Best Practices  Use Run As...never log on as an Administrator  Disable NetBIOS  Do not put Web files on C:  Use the highest level of authentication you can, based on the clients used  Always encrypt sensitive information using SSL or IPSec  Always use SSL when using basic authentication  Do not issue a request for a certificate on a production server  Never leave certificates on the server  Use the Auto Update feature  Use URL Scan  Do not install the Resource Kit on a production server

31

Download ppt "Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Similar presentations

Ads by Google