Internet Information Server 6.0

Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic  How Microsoft Passport Works  Configuration file and the.NET Framework  Lab: Securing Web Application Sites in IIS 6.0  Lab Discussion  Best Practices

IIS 6 Architecture Web Admin Service Worker Process W3 Core web app HTTP.SYS kernel user

Choosing an Isolation Mode ModeApplications:Compatibility:Isolation: IIS 5.0 Isolation Mode Run inside Inetinfo.exe, and out-of- process applications run in separate DLL hosts Ensures compatibility for most existing applications Prevents one application or site from stopping another Worker Process Isolation Mode Run in an isolated environment Applications must be written to run as multiple instance Allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process

What’s New in IIS 6.0? IIS 4.0 IIS 5.0 IIS 6.0 Authentication Anonymous Basic (clear text) Windows NT Challenge / Response Integrated Digest.NET Passport Not available Available as a separate install Fully integrated

Built-in Accounts and IIS 6.0 AccountDescription LocalSystem  A built-in account that has a high level of access rights  Avoid assigning LocalSystem as an application pool identity Network Service  A built-in IIS account with low privileges  Interacts throughout the network with the computer account  The default application pool identity (recommended) Local Service  A built-in IIS account with lowest privileges  Connects anonymously over the network  Use for local Web applications only IIS_WPG  An IIS group account, application pool identity accounts must be a member of this group IUSR_computerna me  An IIS account for anonymous IIS access IWAM_computern ame  An IIS account for starting out-of-process applications in IIS 5.0 isolation mode ASPNET  A built-in account for running Microsoft ASP.NET worker process in IIS 5.0 isolation mode

InternetDMZ Authentication Scenario IIS 5.0 Web Browser Web Proxy SQLServer ActiveDirectory Firewall

Anonymous Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 3 SQL authentication SELECT * FROM table 2 1 GET dbquery.asp HTTP/1.1

Anonymous Authentication  Resource Access as anonyomous user (IUSR_  Resource Access as anonyomous user (IUSR_  Process identity: LocalSystem or IWAM_  Process identity: LocalSystem or IWAM_  Anonymous user is completely configurable  Process identity is configurable through COM+ You have to trade Security versus Performance You have to trade Security versus Performance

Basic Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 5 LogonUser (“user1”, “pw”) 6 Windows authentication Authorization: “Basic” Base64 encoded user/pw Unauthorized WWW-Authenticate: Basic realm="spoon" 2 1 GET dbquery.asp HTTP/1.1

Basic Authentication  Process identity: IWAM or LocalSystem  Resource access as authenticated user  Pros Least common denominator Least common denominator All HTTP clients support basic auth All HTTP clients support basic auth Supports one hop delegation Supports one hop delegation  Cons Clear text password (Base64 Encoded) Clear text password (Base64 Encoded) Over the wire Over the wire On the server On the server Needs to be protected via SSL Needs to be protected via SSL

Digest Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall Unauthorized WWW-Authenticate: “Digest” challenge Authorization: “Digest” response 4 5 CheckCredentials (“user1”, “digesthash”) 6 SQL authentication SELECT * FROM table WHERE user=‘user1’ 3 1 GET dbquery.asp HTTP/1.1

Digest Authentication  Pros No clear text password over the wire No clear text password over the wire Works through proxies Works through proxies Password is not known to IIS Password is not known to IIS  Cons Medium secure Medium secure Internet Explorer 5 and higher Internet Explorer 5 and higher No delegation No delegation Requires Active Directory Requires Active Directory Password in AD (reversible encryption) Password in AD (reversible encryption)

Windows Integrated Authentication  Security Support Provider (SSPI)-based  NTLM or Kerberos  IIS asks the client what protocol it supports  Protocol can be enforced NTAuthenticationProviders NTAuthenticationProviders Negotiate Negotiate NTLM NTLM Kerberos Kerberos

NTLM Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 GET dbquery.asp HTTP/ Unauthorized WWW-Authenticate: “NTLM” challenge Authorization: “NTLM” response 3

NTLM Authentication IIS 5.0 Web Browser SQLServer ActiveDirectory 1 1.GET dbquery.asp HTTP/ HTTP/ Unauthorized WWW-Authenticate: NTLM 3 3. HTTP GET dbquery.asp HTTP/1.1 Authorization: NTLM {…} Connection: Keep-Alive 4 4. HTTP/ Access Denied WWW-Authenticate: NTLM {…}Connection: Keep-Alive 5 5. HTTP GET dbquery.asp HTTP/1.1 Authorization: NTLM {hashed challenge} Connection: Keep-Alive 6ImpersonateSecurityContext 7 SQL Login / COM+ SELECT * FROM table WHERE user=‘user1’

NTLM Authentication  Pros Works out-of-the-box Works out-of-the-box Provides automatic logon/no logon dialog box Provides automatic logon/no logon dialog box  Cons Enterprise only – does not work through Proxy Servers (keep-alive connection required) Enterprise only – does not work through Proxy Servers (keep-alive connection required) No delegation No delegation Configured to be compatible with older clients Configured to be compatible with older clients

Kerberos Authentication IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 1.HTTP GET dbquery.asp HTTP/ Kerberos Session Ticket Request 2. HTTP/ Unauthorized WWW-Authenticate: Negotiate, Kerberos 2

Kerberos Authentication IIS 5.0 Web Browser SQLServer ActiveDirectory 1 1.HTTP GET dbquery.asp HTTP/ Kerberos Session Ticket Response 5 5. HTTP GET dbquery.asp HTTP/ HTTP/ Unauthorized WWW-Authenticate: Negotiate, NTLM 6 ImpersonateSecurityContextNTAuthentication 6. Delegation 3 3. Kerberos Session Ticket Request

Kerberos Authentication  Strong, scalable, fast, supports delegation  Limited client support Internet Explorer 5 and Windows 2000 Internet Explorer 5 and Windows 2000  Issues DC has to be client accessible DC has to be client accessible Service Principal Name Domain Administrator needs to be involved Domain Administrator needs to be involved Delegation needs to be enabled Delegation needs to be enabled Unconstrained! Unconstrained!  Setup Best description in “designing secure Web-based applications” Best description in “designing secure Web-based applications”

Client Certificate Authentication Handshake phase IIS 5.0 Web Browser Proxy SQLServer ActiveDirectory Firewall 1 Client Hello 5 Server finish 4 Client finish Client response certificate, crypto parameters 3 2 Server Hello certificate, crypto parameters

Client Certificate Authentication IIS Mapping IIS 5.0 Web Browser SQLServer ActiveDirectory Firewall Proxy 1 HTTPS GET dbquery.asp HTTP/1.1 4 LogonUser( “user1”, “pw”) 5 NT Authentication 3Mapping

Client Certificate Authentication Active Directory Mapping IIS 5.0 Web Browser SQLServer ActiveDirectory Firewall Proxy 2 SCHANNEL UPN Mapping or AD Mapping 3 SQL Login / COM+ SELECT * FROM table WHERE user=‘user1’ 1 HTTPS GET dbquery.asp HTTP/1.1

Client Certificate Authentication  Pros Very secure Very secure Flexible Flexible Integrity, confidentiality Integrity, confidentiality  Cons Higher management costs for PKI Higher management costs for PKI Usability Usability Scalability and performance Scalability and performance

Authentication Grid SchemeSecurity Limitations / Comments Client Support Scenario AnonymousNoneAllAll BasicLow Clear Text Password, use only with SSL AllAll DigestMedium IIS 5 and higher IE5 and higher in domain infrastructure All NTLMMedium Doesn’t work over proxies Internet Explorer only Only Intranet, doesn’t work with Proxies KerberosHigh IIS 5.0 and higher IE 5 on W2000 or XP in domain infrastructure Only Intranet, DC needs to be accessible by the client IIS Client Cert Mapping High PKI Management makes client certs expensive, IIS 5.0 and higher All newer browsers All AD Client Cert Mapping Very High PKI Management makes client certs expensive, IIS 5.0 and higher All newer browsers All

Access Control Flow 1. Is IP address permitted? 2. Is user permitted? Valid credentials Valid credentials Account restrictions Account restrictions Time, Lockout, Password expired, Privileges Time, Lockout, Password expired, Privileges 3. Does IIS allow access? 4. Does NTFS allow access?

IIS Pass-Through Authentication

How Microsoft Passport Works The client requests a page from the host 1 1 The client logs on to Passport.com 3 3 Passport returns a cookie with ticket information 4 4 The client accesses the host with ticket information 5 5 The host returns a Web form and possibly a new cookie that it can read and write 6 6 The site redirects the client to Passport.com 2 2 Website.msft Passport.com Client

Configuration Files and the.NET Framework  The Web server has a Web.config file for ASP.NET Web application settings  Each ASP.NET Web application also has its own Web.config file  Within the Web.config file, you can control access to individual pages or the entire Web site:

Best Practices  Use Run As...never log on as an Administrator  Disable NetBIOS  Do not put Web files on C:  Use the highest level of authentication you can, based on the clients used  Always encrypt sensitive information using SSL or IPSec  Always use SSL when using basic authentication  Do not issue a request for a certificate on a production server  Never leave certificates on the server  Use the Auto Update feature  Use URL Scan  Do not install the Resource Kit on a production server