Section 5.3: Security

IIS 6.0 takes advantage of the Internet-standard security features that are fully integrated with Windows Server 2003. The following list contains the security protocols supported in IIS 6.0:

• Fortezza satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, non-repudiation, and access control to messages, components, and systems. These features are implemented both with server and browser software and with PCMCIA card hardware.

• Secure Sockets Layer (SSL) 3.0, which is used by most Internet browsers and servers for authentication, message integrity, and confidentiality. You can configure your Web server's SSL security features to verify the integrity of your content, verify SSL security protocols are the identity of users, and encrypt network transmissions. SSL relies upon

certificates. c^i-tifkat^

• Transport Layer Security (TLS), which is based on SSL, provides for cryptographic user authentication. TLS also focuses on improving performance by reducing network traffic and providing an optional session caching scheme that can reduce the number of connections that need to be established from scratch.

• PKCS #7 describes the format of encrypted data such as digital signatures or digital envelopes.

• PKCS #10 describes the format of requests for certificates that

Certificates are digital identification documents that allow both servers and clients to authenticate each other. They are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. Server certificates usually contain information about your company and the organization that issued the certificate. Client certificates usually contain identifying information about the user and the organization that issued the certificate.

are submitted to certification authorities.

5.3.1: Authentication

IIS 6.0 provides a number of authentication methods that you can use to control access to you web sites and

FTP sites. These authentication methods are:

• Anonymous access, which enables the users to access the site without explicitly logging on. IIS will impersonate the IUSR_<computer_name> account to execute scripts in this instance.

• Basic Authentication, which is a part of the HTTP 1.0 specification. It sends passwords over networks in Base64-encoded format. The Basic Authentication method is an industry-standard method for collecting user name and password information. Because Basic Authentication transmits passwords in an unencrypted form it is not recommended unless you can secure the connection between the user and your Web server.

• Digest Authentication, which offers the same features as Basic Authentication but uses the hashing method for transmitting the authentication credentials. Digest Authentication is structured to be usable across proxy servers and other firewall applications. As Digest Authentication is a new feature of HTTP 1.1 it is not supported on all browsers. If a non-compliant browser makes a request on a server that requires Digest Authentication, the server will reject the request and send the client an error message.

• Integrated Windows Authentication, which provides NTLM authentication for older versions of Internet Explorer 3.0 that use it to cryptographically authenticate with IIS. Integrated Windows Authentication also provides Web sites and new versions of Internet Explorer with Kerberos v5 authentication. Integrated Windows Authentication is only used if Anonymous access is disabled or denied as a result of NTFS permissions restrictions but is not supported over Proxy server connections.

• .NET Passport Authentication, which uses .NET passports to authenticate Web users. This is a single sign-on mechanism. The incoming HTTP requests must have the passport credentials inside the query string or as a cookie value. A hacker might compromise the cookie and expose the user to malicious attacks. Therefore, Microsoft recommends that you implement .NET Passport Authentication over SSL.

5.3.2: Controlling Access

After authenticating users, you can control the users' access to resources on your server. IIS 6.0 uses two layers of access control: General Access permissions and NTFS permissions. General Access permissions apply to all HTTP clients and define access to server resources. General Access Permissions can be set at the Web site, directory, and file levels. NTFS permissions define what level of access individual user accounts have to folders and files on the server.

Table 5.2: General Access Permissions

Permission Description
Read Allows users to gain access to static files, such as .html, .htm or .txt files, by using a Web browser or Web folder. Disabling Read permissions prevents anyone from viewing your Web site's .html files.
Write Allows users to change the content of static files on a Web site.
Directory Browsing Displays a list of files and subfolders in the home directory if a default web page is not defined or is absent.
Script Source Access Is only available only if either the Read or Write permissions are enabled. This allows a user to read the source code if Read permissions are enabled; and allows a user to write to the source code if Write permissions are enabled.

Note: Read and Write permissions only affect static files such as .html, .htm and .txt files. They do not affect scripts or executable files.

You can also set Execute permissions on a per-Web site and per-directory basis.

Table 5.3: Execute Permissions

Permission Description
None Does not allow any programs or scripts to run in the specified Web or directory.
Scripts Only Allows applications that are mapped to a script engine to run in the specified directory without having the Execute permission set. This permission is more secure than the Scripts and Executables permission.
Scripts and Executables Allows application, including applications that are mapped to script engines, Windows binary files, and .dll and .exe files, to run in the specified directory. When this option is enabled, a user who has Write access can upload and run potentially harmful programs on the server.

Note: If your IIS installation and directories are consolidated on NTFS volumes, you can also use NTFS permissions in Windows Server 2003 to secure your Web server.

5.3.3: Encryption

You should encrypt data that is transmitted over the internet so as to ensure the security and confidentiality of the data. When you use encryption, the data it scrambled before it is transmitted. It is decrypted, i.e., unscrambled, it after it is arrives at its destination. The foundation for this encryption is the SSL 3.0 protocol and the emerging TLS 1.0 protocol, which provides a secure way of establishing an encrypted communication link with users. SSL confirms the authenticity of your Web site and can also confirm the identity of users accessing restricted Web sites.