Internet Information Server 6.0

Download Report

Transcript Internet Information Server 6.0 

Internet Information Server 6.0
Overview
What’s
New in IIS 6.0?
Built-in Accounts and IIS 6.0
IIS Pass-Through Authentication
Securing Web Traffic
How Microsoft Passport Works
Configuration file and the .NET Framework
Lab: Securing Web Application Sites in IIS
6.0
Lab Discussion
Best Practices
IIS 6 Architecture
Web
Admin
Service
Worker Process
W3 Core
kernel
user
web app
HTTP.SYS
Choosing an Isolation Mode
Mode
IIS 5.0
Isolation
Mode
Applications:
Run inside
Inetinfo.exe,
and out-ofprocess
applications run
in separate DLL
hosts
Worker Run in an
Process isolated
Isolation environment
Mode
Compatibility:
Ensures
compatibility for
most existing
applications
Isolation:
Prevents one
application or site
from stopping
another
Applications
must be written
to run as multiple
instance
Allows the
administrator to
isolate anything from
an individual Web
application to
multiple sites in their
own self-contained
worker process
What’s New in IIS 6.0?
IIS 4.0
IIS 5.0
IIS 6.0
Anonymous
Basic (clear text)
Authentication
.NET Passport
Windows NT
Challenge /
Response
Not available
Integrated
Digest
Available as
a separate
install
Fully
integrated
Built-in Accounts and IIS 6.0
Account
Description
A
built-in account that has a high level of access rights
LocalSystem
Avoid assigning LocalSystem as an application pool
identity
A built-in IIS account with low privileges
Interacts throughout the network with the computer
Network Service
account
The default application pool identity (recommended)
A built-in IIS account with lowest privileges
Connects anonymously over the network
Local Service
Use for local Web applications only
An IIS group account, application pool identity accounts
IIS_WPG
must be a member of this group
IUSR_computerna An IIS account for anonymous IIS access
me
IWAM_computern
ame
ASPNET
An
IIS account for starting out-of-process applications in
IIS 5.0 isolation mode
A
built-in account for running Microsoft ASP.NET worker
process in IIS 5.0 isolation mode
Authentication Scenario
Internet
DMZ
SQL
Server
IIS 5.0
Firewall
Web Proxy
Active
Directory
Web Browser
Anonymous Authentication
GET dbquery.asp HTTP/1.1
SQL
Server
2
SQL
authentication
SELECT * FROM
table
3
IIS 5.0
Firewall
1
Proxy
Active
Directory
Web Browser
Anonymous Authentication
 Resource
Access as anonyomous user
(IUSR_<machinename>
 Process identity: LocalSystem or
IWAM_<machinename>
 Anonymous user is completely
configurable
 Process identity is configurable through
COM+

You have to trade Security versus Performance
Basic Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: Basic realm="spoon"
Authorization:
“Basic” Base64 encoded user/pw
6
IIS 5.0
2
Firewall
3
1
4
Windows
authentication
LogonUser
5
(“user1”, “pw”)
Proxy
Active
Directory
Web Browser
Basic Authentication



Process identity: IWAM or LocalSystem
Resource access as authenticated user
Pros

Least common denominator



All HTTP clients support basic auth
Supports one hop delegation
Cons

Clear text password (Base64 Encoded)



Over the wire
On the server
Needs to be protected via SSL
Digest Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: “Digest” challenge
Authorization: “Digest” response
6
SQL authentication
SELECT * FROM
table WHERE
user=‘user1’
2
IIS 5.0
Firewall
3
5
1
4
CheckCredentials
(“user1”,
“digesthash”)
Proxy
Active
Directory
Web Browser
Digest Authentication
 Pros



No clear text password over the wire
Works through proxies
Password is not known to IIS
 Cons




Medium secure
Internet Explorer 5 and higher
No delegation
Requires Active Directory

Password in AD (reversible encryption)
Windows Integrated
Authentication
 Security
Support Provider (SSPI)-based
 NTLM or Kerberos
 IIS asks the client what protocol
it supports
 Protocol can be enforced

NTAuthenticationProviders
Negotiate
 NTLM
 Kerberos

NTLM Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: “NTLM” challenge
Authorization: “NTLM” response
2
IIS 5.0
Firewall
1
3
Proxy
Active
Directory
Web Browser
NTLM Authentication
1. GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
3. HTTP GET dbquery.asp HTTP/1.1
Authorization: NTLM {…} Connection: Keep-Alive
4. HTTP/1.1 401 Access Denied
WWW-Authenticate: NTLM {…}Connection: Keep-Alive
5. HTTP GET dbquery.asp HTTP/1.1
Authorization: NTLM {hashed challenge}
Impersonate
Connection: Keep-Alive
SecurityContext
SQL Login / COM+
6
SELECT * FROM
1
7 table WHERE
2
user=‘user1’
SQL
Server
IIS 5.0
3
4
5
Active
Directory
Web Browser
NTLM Authentication
 Pros


Works out-of-the-box
Provides automatic logon/no logon dialog
box
 Cons



Enterprise only – does not work
through Proxy Servers
(keep-alive connection required)
No delegation
Configured to be compatible with older
clients
Kerberos Authentication
1. HTTP GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate, Kerberos
SQL
Server
3. Kerberos Session Ticket Request
2
IIS 5.0
Firewall
1
Proxy
3
Web Browser
Active
Directory
Kerberos Authentication
1. HTTP GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate, NTLM
3. Kerberos Session Ticket Request
SQL
Server
4. Kerberos Session Ticket Response
5. HTTP GET dbquery.asp HTTP/1.1
6
6. Delegation
Impersonate
SecurityContext
NT
Authentication
IIS 5.0
1
2
5
3
4
Web Browser
Active
Directory
Kerberos Authentication


Strong, scalable, fast, supports delegation
Limited client support


Internet Explorer 5 and Windows 2000
Issues

DC has to be client accessible
Service Principal Name
 Domain Administrator needs to be involved

Delegation needs to be enabled


Unconstrained!
Setup

Best description in “designing secure
Web-based applications”
Client Certificate Authentication
Handshake phase
Client Hello
Server Hello
certificate, crypto parameters
SQL
Server
Client response
certificate, crypto parameters
Client finish
2
Server finish
IIS 5.0
Firewall
5
1
3
4
Proxy
Active
Directory
Web Browser
Client Certificate Authentication
IIS Mapping
HTTPS GET dbquery.asp HTTP/1.1
SQL
Server
NT
Authentication
5
3
Mapping
IIS 5.0
Firewall
4
1
Proxy
LogonUser(
“user1” ,
“pw”)
Active
Directory
Web Browser
Client Certificate Authentication
Active Directory Mapping
HTTPS GET dbquery.asp HTTP/1.1
SQL
Server
3
SQL Login / COM+
SELECT * FROM
table WHERE
user=‘user1’
IIS 5.0
Firewall
2
1
SCHANNEL
UPN Mapping
or
AD Mapping
Proxy
Active
Directory
Web Browser
Client Certificate Authentication
 Pros



Very secure
Flexible
Integrity, confidentiality
 Cons



Higher management costs for PKI
Usability
Scalability and performance
Authentication Grid
Scheme
Security
Anonymous
None
Basic
Low
Digest
Limitations /
Comments
Client Support
Scenario
All
All
Clear Text Password, use
only with SSL
All
All
Medium
IIS 5 and higher
IE5 and higher in
domain
infrastructure
All
NTLM
Medium
Doesn’t work over proxies
Internet Explorer
only
Only Intranet,
doesn’t work with
Proxies
Kerberos
High
IIS 5.0 and higher
IE 5 on W2000 or
XP in domain
infrastructure
Only Intranet, DC
needs to be
accessible by the
client
IIS Client Cert
Mapping
High
All newer
browsers
All
AD Client
Cert Mapping
Very High
PKI Management makes
client certs expensive, IIS
5.0 and higher
PKI Management makes
client certs expensive, IIS
5.0 and higher
All newer
browsers
All
Access Control Flow
1.
2.
Is IP address permitted?
Is user permitted?


Valid credentials
Account restrictions

3.
4.
Time, Lockout, Password expired, Privileges
Does IIS allow access?
Does NTFS allow access?
IIS Pass-Through
Authentication
How Microsoft Passport Works
1
The client requests a page
from the host
2
The site redirects the client
to Passport.com
3
The client logs on to
Passport.com
4
Passport returns a cookie
with ticket information
5
The client accesses the
host with ticket information
6
The host returns a Web
form and possibly a new
cookie that it can read and
write
1
2
3
Website.msft
Client
Passport.com
Configuration Files and the
.NET Framework
The
Web server has a Web.config file for
ASP.NET Web application settings
Each ASP.NET Web application also has its
own Web.config file
Within the Web.config file, you can control
access to individual pages or the entire Web
site:
<location path="ShoppingCart.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Best Practices
 Use
Run As...never log on as an Administrator
 Disable NetBIOS
 Do not put Web files on C:
 Use the highest level of authentication you can, based on the
clients used
 Always encrypt sensitive information using SSL or IPSec
 Always use SSL when using basic authentication
 Do not issue a request for a certificate on a production server
 Never leave certificates on the server
 Use the Auto Update feature
 Use URL Scan
 Do not install the Resource Kit on a production server