Site Search
Latest Topics
Networking Security
[Server Tutor] Windows 2003 IIS 6.0 Security - Part One
your Web site from intruders. The security settings for a Web site can be viewed by right-clicking
on a Web site in IIS Manager and selecting Properties. The settings can be found in the
Directory Security tab.We will talk about IIS security in 3 articles, User Authentication, IP Filtering and secure socket layer.
User Authentication
First, you can enable or disable anonymous access and configure how IIS will authenticate nonanonymous (authenticated) users to the web site. Click the Edit button under the Authentication and access control section of the tab. You'll see a screen, called Authentication Methods,
![[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-1](/./images/stories/windows/[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-1.gif "[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-1")
Picture-1 Directory Security Tab for a Web Site
The first option is to restrict users by forcing them to authenticate to the IIS server. Thisa can be
achieved by clicking the Edit button of the Authenticate and Access Control group box.
![[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-2](/./images/stories/windows/[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-2.gif "[Server-Tutor]-Windows-2003-IIS-6.0-Security---Part-One-2")
Picture02 describes the options available for authenticating in IIS 6.0.
Below explains the option available in the Authentication Methods window
- Enable anonymous access This will enable the users to use the site without explicitly
logging on. The IIS will impersonate the IUSR_MachineName account to execute scripts
in this instance. A safer option is to disable the anonymous access and force the user to
authenticate using one of the following methods.
- Integrated Windows authentication This was formally known as Windows NT
Challenge / Response or NTLM. It is a secure form of authentication that hashes the user
name and the password before any network transmission. It uses Kerberos version 5 for
authentication if the client browser supports Kerberos. Otherwise, it will use NTLM
authentication to protect user name and password data.
-Digest authentication for Windows domain servers This option will use Digest
Authentication. Please refer to New IIS Features section to learn about Digest security.
-Basic authentication This option uses clear text username and password for authentication.
This is not secure and not recommended. This could be useful in a less secure environment
(e.g., a development environment behind a firewall).You can alternatively use SSL
encryption to encrypt the clear text username and password details.
-.NET Passport Authentication This option uses .NET passports to authenticate Web
users. This is a new feature in IIS 6.0. .NET Passport is a single sign-on mechanism. The
incoming HTTP requests must have the passport credentials (user name and password)
inside the query string or as a cookie value. (We can comprise the cookie and be exposed
to malicious attacks. Therefore, Microsoft recommends to run .NET Passport
Authentication over SSL.) You can enable this option by clicking the .NET Passport
Authentication check box. You will be asked to select the Domain the IIS server
belongs to and the Realm to configure the .NET passport credentials. These details need
to be available to the client for future requests to the Web server.