Embed Size (px)
Citation preview
Internet Information Server 6.0Internet Information Server 6.0
OverviewOverviewWhat’s New in IIS 6.0?What’s New in IIS 6.0?Built-in Accounts and IIS 6.0Built-in Accounts and IIS 6.0IIS Pass-Through AuthenticationIIS Pass-Through AuthenticationSecuring Web TrafficSecuring Web TrafficHow Microsoft Passport WorksHow Microsoft Passport WorksConfiguration file and the .NET FrameworkConfiguration file and the .NET FrameworkLab: Securing Web Application Sites in IIS Lab: Securing Web Application Sites in IIS
6.0 6.0 Lab DiscussionLab DiscussionBest PracticesBest Practices
IIS 6 ArchitectureIIS 6 Architecture
Web Web Admin Admin ServiceService
Worker ProcessWorker Process
W3 CoreW3 Core
web appweb app
HTTP.SYSHTTP.SYS
kern
elke
rnel
use
ru
ser
Choosing an Isolation ModeChoosing an Isolation Mode
Mode Applications: Compatibility: Isolation:
IIS 5.0 Isolation Mode
Run inside Inetinfo.exe, and out-of-process applications run in separate DLL hosts
Ensures compatibility for most existing applications
Prevents one application or site from stopping another
Worker Process Isolation Mode
Run in an isolated environment
Applications must be written to run as multiple instance
Allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process
What’s New in IIS 6.0?What’s New in IIS 6.0?
IIS 4.0IIS 4.0 IIS 5.0IIS 5.0 IIS 6.0IIS 6.0
AuthenticationAuthentication
AnonymousAnonymous
Basic (clear text)Basic (clear text)
Windows NT Windows NT Challenge / Challenge / ResponseResponse
IntegratedIntegrated
DigestDigest
.NET Passport.NET Passport Not availableNot availableAvailable as Available as a separate a separate
installinstall
Fully Fully integratedintegrated
Built-in Accounts and IIS 6.0Built-in Accounts and IIS 6.0AccountAccount DescriptionDescription
LocalSystemLocalSystemA built-in account that has a high level of access rightsA built-in account that has a high level of access rightsAvoid assigning LocalSystem as an application pool Avoid assigning LocalSystem as an application pool
identityidentity
Network ServiceNetwork Service
A built-in IIS account with low privilegesA built-in IIS account with low privilegesInteracts throughout the network with the computer Interacts throughout the network with the computer
accountaccountThe default application pool identity (recommended)The default application pool identity (recommended)
Local ServiceLocal Service
A built-in IIS account with lowest privilegesA built-in IIS account with lowest privilegesConnects anonymously over the networkConnects anonymously over the networkUse for local Web applications onlyUse for local Web applications only
IIS_WPGIIS_WPGAn IIS group account, application pool identity accounts An IIS group account, application pool identity accounts
must be a member of this groupmust be a member of this group
IUSR_computernaIUSR_computernameme
An IIS account for anonymous IIS accessAn IIS account for anonymous IIS access
IWAM_computernIWAM_computernameame
An IIS account for starting out-of-process applications in An IIS account for starting out-of-process applications in
IIS 5.0 isolation modeIIS 5.0 isolation mode
ASPNETASPNETA built-in account for running Microsoft ASP.NET worker A built-in account for running Microsoft ASP.NET worker
process in IIS 5.0 isolation modeprocess in IIS 5.0 isolation mode
InternetInternet DMZDMZ
Authentication ScenarioAuthentication Scenario
IIS 5.0IIS 5.0
Web BrowserWeb Browser
Web ProxyWeb Proxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
Anonymous AuthenticationAnonymous Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
3
SQL authenticationSELECT * FROM table
2
1
GET dbquery.asp HTTP/1.1
Anonymous AuthenticationAnonymous Authentication
Resource Access as anonyomous user Resource Access as anonyomous user (IUSR_<machinename>(IUSR_<machinename>
Process identity: LocalSystem or Process identity: LocalSystem or IWAM_<machinename>IWAM_<machinename>
Anonymous user is completely Anonymous user is completely configurableconfigurable
Process identity is configurable through Process identity is configurable through COM+COM+ You have to trade Security versus PerformanceYou have to trade Security versus Performance
Basic AuthenticationBasic Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
55
LogonUserLogonUser
(“user1”, “pw”)(“user1”, “pw”)
66 Windows Windows authenticationauthentication
Authorization:Authorization:“Basic” Base64 encoded user/pw“Basic” Base64 encoded user/pw
44
33
401 Unauthorized401 Unauthorized
WWW-Authenticate: Basic realm="spoon"WWW-Authenticate: Basic realm="spoon"
22
11
GET dbquery.asp HTTP/1.1 GET dbquery.asp HTTP/1.1
Basic AuthenticationBasic Authentication
Process identity: IWAM or LocalSystemProcess identity: IWAM or LocalSystem Resource access as authenticated userResource access as authenticated user ProsPros
Least common denominatorLeast common denominator All HTTP clients support basic authAll HTTP clients support basic auth
Supports one hop delegationSupports one hop delegation
ConsCons Clear text password (Base64 Encoded)Clear text password (Base64 Encoded)
Over the wireOver the wire On the serverOn the server Needs to be protected via SSLNeeds to be protected via SSL
Digest AuthenticationDigest Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
22
401 Unauthorized401 Unauthorized
WWW-Authenticate: “Digest” challengeWWW-Authenticate: “Digest” challenge
Authorization: “Digest” responseAuthorization: “Digest” response
44
55
CheckCredentialsCheckCredentials(“user1”, (“user1”, “digesthash”)“digesthash”)
66 SQL authenticationSQL authenticationSELECT * FROM SELECT * FROM table WHERE table WHERE user=‘user1’user=‘user1’
33
11
GET dbquery.asp HTTP/1.1GET dbquery.asp HTTP/1.1
Digest AuthenticationDigest Authentication
ProsPros No clear text password over the wireNo clear text password over the wire Works through proxiesWorks through proxies Password is not known to IIS Password is not known to IIS
ConsCons Medium secureMedium secure Internet Explorer 5 and higherInternet Explorer 5 and higher No delegationNo delegation Requires Active DirectoryRequires Active Directory
Password in AD (reversible encryption)Password in AD (reversible encryption)
Windows Integrated Windows Integrated AuthenticationAuthentication
Security Support Provider (SSPI)-basedSecurity Support Provider (SSPI)-based NTLM or KerberosNTLM or Kerberos IIS asks the client what protocol IIS asks the client what protocol
it supports it supports Protocol can be enforced Protocol can be enforced
NTAuthenticationProvidersNTAuthenticationProvidersNegotiateNegotiateNTLMNTLMKerberosKerberos
NTLM AuthenticationNTLM Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
11
GET dbquery.asp HTTP/1.1GET dbquery.asp HTTP/1.1
22
401 Unauthorized401 Unauthorized
WWW-Authenticate: “NTLM” challengeWWW-Authenticate: “NTLM” challenge
Authorization: “NTLM” responseAuthorization: “NTLM” response
33
NTLM AuthenticationNTLM Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
11
1.1. GET dbquery.asp HTTP/1.1GET dbquery.asp HTTP/1.1
22
2. HTTP/1.1 401 Unauthorized2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: NTLM WWW-Authenticate: NTLM
33
3. HTTP GET dbquery.asp HTTP/1.13. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {…} Connection: Keep-AliveAuthorization: NTLM {…} Connection: Keep-Alive
44
4. HTTP/1.1 401 Access Denied4. HTTP/1.1 401 Access DeniedWWW-Authenticate: NTLM {…}Connection: Keep-AliveWWW-Authenticate: NTLM {…}Connection: Keep-Alive
55
5. HTTP GET dbquery.asp HTTP/1.15. HTTP GET dbquery.asp HTTP/1.1Authorization: NTLM {hashed challenge} Authorization: NTLM {hashed challenge} Connection: Keep-AliveConnection: Keep-Alive
66
ImpersonateImpersonateSecurityContextSecurityContext
77
SQL Login / COM+SQL Login / COM+SELECT * FROM SELECT * FROM table WHERE table WHERE user=‘user1’user=‘user1’
NTLM AuthenticationNTLM Authentication
ProsPros Works out-of-the-boxWorks out-of-the-box Provides automatic logon/no logon dialog Provides automatic logon/no logon dialog
boxbox
ConsCons Enterprise only – does not work Enterprise only – does not work
through Proxy Servers through Proxy Servers (keep-alive connection required)(keep-alive connection required)
No delegationNo delegation Configured to be compatible with older Configured to be compatible with older
clientsclients
Kerberos AuthenticationKerberos Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
11
1.1. HTTP GET dbquery.asp HTTP/1.1HTTP GET dbquery.asp HTTP/1.1
33
3. Kerberos Session Ticket Request3. Kerberos Session Ticket Request
2. HTTP/1.1 401 Unauthorized2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, KerberosWWW-Authenticate: Negotiate, Kerberos
22
Kerberos AuthenticationKerberos Authentication
IIS 5.0IIS 5.0
Web BrowserWeb Browser
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
11
1.1. HTTP GET dbquery.asp HTTP/1.1HTTP GET dbquery.asp HTTP/1.1
44
4. Kerberos Session Ticket Response4. Kerberos Session Ticket Response
55
5. HTTP GET dbquery.asp HTTP/1.15. HTTP GET dbquery.asp HTTP/1.1
22
2. HTTP/1.1 401 Unauthorized2. HTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate, NTLM WWW-Authenticate: Negotiate, NTLM
66
ImpersonateImpersonateSecurityContextSecurityContextNTNTAuthenticationAuthentication
6. Delegation 6. Delegation
33
3. Kerberos Session Ticket Request3. Kerberos Session Ticket Request
Kerberos AuthenticationKerberos Authentication
Strong, scalable, fast, supports delegationStrong, scalable, fast, supports delegation Limited client supportLimited client support
Internet Explorer 5 and Windows 2000Internet Explorer 5 and Windows 2000
IssuesIssues DC has to be client accessibleDC has to be client accessible
Service Principal NameService Principal Name Domain Administrator needs to be involvedDomain Administrator needs to be involved
Delegation needs to be enabledDelegation needs to be enabled Unconstrained!Unconstrained!
SetupSetup Best description in “designing secure Best description in “designing secure
Web-based applications” Web-based applications”
Client Certificate AuthenticationClient Certificate AuthenticationHandshake phaseHandshake phase
IIS 5.0IIS 5.0
Web BrowserWeb Browser
ProxyProxy
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
11
Client HelloClient Hello
55
Server finishServer finish
44
Client finishClient finish
Client responseClient responsecertificate, crypto parameterscertificate, crypto parameters
33
22
Server Hello Server Hello certificate, crypto parameterscertificate, crypto parameters
Client Certificate AuthenticationClient Certificate AuthenticationIIS MappingIIS Mapping
IIS 5.0IIS 5.0
Web BrowserWeb Browser
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
ProxyProxy
11
HTTPS GET dbquery.asp HTTP/1.1HTTPS GET dbquery.asp HTTP/1.1
44 LogonUser( “LogonUser( “user1” , user1” , “pw”)“pw”)
55NT NT AuthenticationAuthentication
33 MappingMapping
Client Certificate AuthenticationClient Certificate AuthenticationActive Directory MappingActive Directory Mapping
IIS 5.0IIS 5.0
Web BrowserWeb Browser
SQL SQL
ServerServer
ActiveActive
DirectoryDirectory
FirewallFirewall
ProxyProxy
22
SCHANNELSCHANNELUPN Mapping UPN Mapping ororAD MappingAD Mapping
33
SQL Login / COM+SQL Login / COM+SELECT * FROM SELECT * FROM table WHERE table WHERE user=‘user1’user=‘user1’
11
HTTPS GET dbquery.asp HTTP/1.1HTTPS GET dbquery.asp HTTP/1.1
Client Certificate AuthenticationClient Certificate Authentication
ProsPros Very secureVery secure Flexible Flexible Integrity, confidentialityIntegrity, confidentiality
ConsCons Higher management costs for PKIHigher management costs for PKI UsabilityUsability Scalability and performance Scalability and performance
Authentication GridAuthentication Grid
SchemeScheme SecuritySecurity Limitations / Limitations / CommentsComments
Client SupportClient Support ScenarioScenario
AnonymousAnonymous NoneNone AllAll AllAll
BasicBasic LowLow Clear Text Password, use Clear Text Password, use only with SSLonly with SSL
AllAll AllAll
DigestDigest MediumMedium IIS 5 and higherIIS 5 and higher IE5 and higher in IE5 and higher in domain domain infrastructureinfrastructure
AllAll
NTLMNTLM MediumMedium Doesn’t work over proxiesDoesn’t work over proxies Internet Explorer Internet Explorer onlyonly
Only Intranet, Only Intranet, doesn’t work with doesn’t work with ProxiesProxies
KerberosKerberos HighHigh IIS 5.0 and higherIIS 5.0 and higher IE 5 on W2000 or IE 5 on W2000 or XP in domain XP in domain infrastructureinfrastructure
Only Intranet, DC Only Intranet, DC needs to be needs to be accessible by the accessible by the clientclient
IIS Client Cert IIS Client Cert MappingMapping
HighHigh PKI Management makes PKI Management makes client certs expensive, IIS client certs expensive, IIS 5.0 and higher5.0 and higher
All newer All newer browsersbrowsers
AllAll
AD Client AD Client Cert MappingCert Mapping
Very HighVery High PKI Management makes PKI Management makes client certs expensive, IIS client certs expensive, IIS 5.0 and higher5.0 and higher
All newer All newer browsersbrowsers
AllAll
Access Control FlowAccess Control Flow
1.1. Is IP address permitted?Is IP address permitted?
2.2. Is user permitted? Is user permitted? Valid credentialsValid credentials Account restrictionsAccount restrictions
Time, Lockout, Password expired, PrivilegesTime, Lockout, Password expired, Privileges
3.3. Does IIS allow access? Does IIS allow access?
4.4. Does NTFS allow access?Does NTFS allow access?
IIS Pass-Through IIS Pass-Through AuthenticationAuthentication
How Microsoft Passport WorksHow Microsoft Passport Works
11 22 33
The client requests a page from the hostThe client requests a page from the host11
The client logs on to Passport.comThe client logs on to Passport.com33Passport returns a cookie with ticket informationPassport returns a cookie with ticket information44The client accesses the host with ticket informationThe client accesses the host with ticket information55
The host returns a Web form and possibly a new cookie that it can read and write
The host returns a Web form and possibly a new cookie that it can read and write
66
The site redirects the client to Passport.comThe site redirects the client to Passport.com22
Website.msftWebsite.msft
Passport.comPassport.com
ClientClient
Configuration Files and Configuration Files and the .NET Frameworkthe .NET Framework
The Web server has a Web.config file for The Web server has a Web.config file for ASP.NET Web application settingsASP.NET Web application settings
Each ASP.NET Web application also has its Each ASP.NET Web application also has its own Web.config fileown Web.config file
Within the Web.config file, you can control Within the Web.config file, you can control access to individual pages or the entire Web access to individual pages or the entire Web site:site:
<location path="ShoppingCart.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web></location>
Best PracticesBest PracticesUse Run As...never log on as an Administrator Use Run As...never log on as an Administrator Disable NetBIOS Disable NetBIOS Do not put Web files on C: Do not put Web files on C: Use the highest level of authentication you can, based on the Use the highest level of authentication you can, based on the
clients usedclients usedAlways encrypt sensitive information using SSL or IPSecAlways encrypt sensitive information using SSL or IPSecAlways use SSL when using basic authenticationAlways use SSL when using basic authenticationDo not issue a request for a certificate on a production serverDo not issue a request for a certificate on a production serverNever leave certificates on the server Never leave certificates on the server Use the Auto Update feature Use the Auto Update feature Use URL Scan Use URL Scan Do not install the Resource Kit on a production serverDo not install the Resource Kit on a production server
