Internet Information Server 6.0
Download
Report
Transcript Internet Information Server 6.0
Internet Information Server 6.0
Overview
What’s
New in IIS 6.0?
Built-in Accounts and IIS 6.0
IIS Pass-Through Authentication
Securing Web Traffic
How Microsoft Passport Works
Configuration file and the .NET Framework
Lab: Securing Web Application Sites in IIS
6.0
Lab Discussion
Best Practices
IIS 6 Architecture
Web
Admin
Service
Worker Process
W3 Core
kernel
user
web app
HTTP.SYS
Choosing an Isolation Mode
Mode
IIS 5.0
Isolation
Mode
Applications:
Run inside
Inetinfo.exe,
and out-ofprocess
applications run
in separate DLL
hosts
Worker Run in an
Process isolated
Isolation environment
Mode
Compatibility:
Ensures
compatibility for
most existing
applications
Isolation:
Prevents one
application or site
from stopping
another
Applications
must be written
to run as multiple
instance
Allows the
administrator to
isolate anything from
an individual Web
application to
multiple sites in their
own self-contained
worker process
What’s New in IIS 6.0?
IIS 4.0
IIS 5.0
IIS 6.0
Anonymous
Basic (clear text)
Authentication
.NET Passport
Windows NT
Challenge /
Response
Not available
Integrated
Digest
Available as
a separate
install
Fully
integrated
Built-in Accounts and IIS 6.0
Account
Description
A
built-in account that has a high level of access rights
LocalSystem
Avoid assigning LocalSystem as an application pool
identity
A built-in IIS account with low privileges
Interacts throughout the network with the computer
Network Service
account
The default application pool identity (recommended)
A built-in IIS account with lowest privileges
Connects anonymously over the network
Local Service
Use for local Web applications only
An IIS group account, application pool identity accounts
IIS_WPG
must be a member of this group
IUSR_computerna An IIS account for anonymous IIS access
me
IWAM_computern
ame
ASPNET
An
IIS account for starting out-of-process applications in
IIS 5.0 isolation mode
A
built-in account for running Microsoft ASP.NET worker
process in IIS 5.0 isolation mode
Authentication Scenario
Internet
DMZ
SQL
Server
IIS 5.0
Firewall
Web Proxy
Active
Directory
Web Browser
Anonymous Authentication
GET dbquery.asp HTTP/1.1
SQL
Server
2
SQL
authentication
SELECT * FROM
table
3
IIS 5.0
Firewall
1
Proxy
Active
Directory
Web Browser
Anonymous Authentication
Resource
Access as anonyomous user
(IUSR_<machinename>
Process identity: LocalSystem or
IWAM_<machinename>
Anonymous user is completely
configurable
Process identity is configurable through
COM+
You have to trade Security versus Performance
Basic Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: Basic realm="spoon"
Authorization:
“Basic” Base64 encoded user/pw
6
IIS 5.0
2
Firewall
3
1
4
Windows
authentication
LogonUser
5
(“user1”, “pw”)
Proxy
Active
Directory
Web Browser
Basic Authentication
Process identity: IWAM or LocalSystem
Resource access as authenticated user
Pros
Least common denominator
All HTTP clients support basic auth
Supports one hop delegation
Cons
Clear text password (Base64 Encoded)
Over the wire
On the server
Needs to be protected via SSL
Digest Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: “Digest” challenge
Authorization: “Digest” response
6
SQL authentication
SELECT * FROM
table WHERE
user=‘user1’
2
IIS 5.0
Firewall
3
5
1
4
CheckCredentials
(“user1”,
“digesthash”)
Proxy
Active
Directory
Web Browser
Digest Authentication
Pros
No clear text password over the wire
Works through proxies
Password is not known to IIS
Cons
Medium secure
Internet Explorer 5 and higher
No delegation
Requires Active Directory
Password in AD (reversible encryption)
Windows Integrated
Authentication
Security
Support Provider (SSPI)-based
NTLM or Kerberos
IIS asks the client what protocol
it supports
Protocol can be enforced
NTAuthenticationProviders
Negotiate
NTLM
Kerberos
NTLM Authentication
GET dbquery.asp HTTP/1.1
401 Unauthorized
SQL
Server
WWW-Authenticate: “NTLM” challenge
Authorization: “NTLM” response
2
IIS 5.0
Firewall
1
3
Proxy
Active
Directory
Web Browser
NTLM Authentication
1. GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
3. HTTP GET dbquery.asp HTTP/1.1
Authorization: NTLM {…} Connection: Keep-Alive
4. HTTP/1.1 401 Access Denied
WWW-Authenticate: NTLM {…}Connection: Keep-Alive
5. HTTP GET dbquery.asp HTTP/1.1
Authorization: NTLM {hashed challenge}
Impersonate
Connection: Keep-Alive
SecurityContext
SQL Login / COM+
6
SELECT * FROM
1
7 table WHERE
2
user=‘user1’
SQL
Server
IIS 5.0
3
4
5
Active
Directory
Web Browser
NTLM Authentication
Pros
Works out-of-the-box
Provides automatic logon/no logon dialog
box
Cons
Enterprise only – does not work
through Proxy Servers
(keep-alive connection required)
No delegation
Configured to be compatible with older
clients
Kerberos Authentication
1. HTTP GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate, Kerberos
SQL
Server
3. Kerberos Session Ticket Request
2
IIS 5.0
Firewall
1
Proxy
3
Web Browser
Active
Directory
Kerberos Authentication
1. HTTP GET dbquery.asp HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate, NTLM
3. Kerberos Session Ticket Request
SQL
Server
4. Kerberos Session Ticket Response
5. HTTP GET dbquery.asp HTTP/1.1
6
6. Delegation
Impersonate
SecurityContext
NT
Authentication
IIS 5.0
1
2
5
3
4
Web Browser
Active
Directory
Kerberos Authentication
Strong, scalable, fast, supports delegation
Limited client support
Internet Explorer 5 and Windows 2000
Issues
DC has to be client accessible
Service Principal Name
Domain Administrator needs to be involved
Delegation needs to be enabled
Unconstrained!
Setup
Best description in “designing secure
Web-based applications”
Client Certificate Authentication
Handshake phase
Client Hello
Server Hello
certificate, crypto parameters
SQL
Server
Client response
certificate, crypto parameters
Client finish
2
Server finish
IIS 5.0
Firewall
5
1
3
4
Proxy
Active
Directory
Web Browser
Client Certificate Authentication
IIS Mapping
HTTPS GET dbquery.asp HTTP/1.1
SQL
Server
NT
Authentication
5
3
Mapping
IIS 5.0
Firewall
4
1
Proxy
LogonUser(
“user1” ,
“pw”)
Active
Directory
Web Browser
Client Certificate Authentication
Active Directory Mapping
HTTPS GET dbquery.asp HTTP/1.1
SQL
Server
3
SQL Login / COM+
SELECT * FROM
table WHERE
user=‘user1’
IIS 5.0
Firewall
2
1
SCHANNEL
UPN Mapping
or
AD Mapping
Proxy
Active
Directory
Web Browser
Client Certificate Authentication
Pros
Very secure
Flexible
Integrity, confidentiality
Cons
Higher management costs for PKI
Usability
Scalability and performance
Authentication Grid
Scheme
Security
Anonymous
None
Basic
Low
Digest
Limitations /
Comments
Client Support
Scenario
All
All
Clear Text Password, use
only with SSL
All
All
Medium
IIS 5 and higher
IE5 and higher in
domain
infrastructure
All
NTLM
Medium
Doesn’t work over proxies
Internet Explorer
only
Only Intranet,
doesn’t work with
Proxies
Kerberos
High
IIS 5.0 and higher
IE 5 on W2000 or
XP in domain
infrastructure
Only Intranet, DC
needs to be
accessible by the
client
IIS Client Cert
Mapping
High
All newer
browsers
All
AD Client
Cert Mapping
Very High
PKI Management makes
client certs expensive, IIS
5.0 and higher
PKI Management makes
client certs expensive, IIS
5.0 and higher
All newer
browsers
All
Access Control Flow
1.
2.
Is IP address permitted?
Is user permitted?
Valid credentials
Account restrictions
3.
4.
Time, Lockout, Password expired, Privileges
Does IIS allow access?
Does NTFS allow access?
IIS Pass-Through
Authentication
How Microsoft Passport Works
1
The client requests a page
from the host
2
The site redirects the client
to Passport.com
3
The client logs on to
Passport.com
4
Passport returns a cookie
with ticket information
5
The client accesses the
host with ticket information
6
The host returns a Web
form and possibly a new
cookie that it can read and
write
1
2
3
Website.msft
Client
Passport.com
Configuration Files and the
.NET Framework
The
Web server has a Web.config file for
ASP.NET Web application settings
Each ASP.NET Web application also has its
own Web.config file
Within the Web.config file, you can control
access to individual pages or the entire Web
site:
<location path="ShoppingCart.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Best Practices
Use
Run As...never log on as an Administrator
Disable NetBIOS
Do not put Web files on C:
Use the highest level of authentication you can, based on the
clients used
Always encrypt sensitive information using SSL or IPSec
Always use SSL when using basic authentication
Do not issue a request for a certificate on a production server
Never leave certificates on the server
Use the Auto Update feature
Use URL Scan
Do not install the Resource Kit on a production server