Microsoft includes Internet Information Services (IIS) 5.0 with both Windows 2000 Server (Win2K Server) and Windows 2000 Professional (Win2K Pro). However, by default, IIS installs only on Win2K Server, not on Win2K Pro. But if you upgrade to Win2K Pro from an earlier version of Windows, IIS will install. To configure IIS properly, you must understand the various authentication methods that the software uses. You can set authentication, the process whereby the client identifies itself to the IIS server, at the Web site level, at the folder level, or at the file level. IIS 5.0 offers five authentication methods for the Web:
- Integrated Windows
Two IIS 5.0 authentication methods apply to FTP:
- Anonymous FTP
- Basic FTP
If you don’t want IIS to prompt users for a username and password, you can set Anonymous authentication on your Web server, and IIS will assign users to an account that belongs to the Guests group. The default account—IUSR_computername, where computername is the name of your IIS server—is the account we typically refer to when we talk about anonymous accounts in IIS. The IUSR_computername account must have log on locally user rights on the server or users won't be able to connect to your Web server. You can restrict anonymous user access to your server using file- or folder-level NTFS permissions. IIS tries Anonymous authentication first but will try a different authentication method if access is restricted. If no other method is available, IIS sends the user an "HTTP 403 Access Denied" error message.
To comply with HTTP specifications, most browsers support Basic authentication. IIS prompts users for a valid Windows account and password. However, because the password transmits unencrypted, most people avoid using Basic authentication in secure environments. As a workaround, you can use Secure Socket Layer (SSL) with Basic authentication so that the password isn't vulnerable.
Digest authentication, a new feature in IIS 5.0, is similar to Basic authentication except that the authentication credentials passed through a hashing algorithm. The resulting hash, or message digest, is encrypted, so it's more secure than the clear-text passwords that Basic authentication uses. The Digest authentication method works across proxy servers and firewalls. However, only browsers that support HTTP 1.1 can take advantage of this authentication; IIS 5.0 denies access to non-compliant browsers.
Integrated Windows Authentication
Previously known as Windows NT Challenge/Response (NT/CR) or NT LAN Manager (NTLM), Integrated Windows authentication is a secure authentication method that doesn’t transmit usernames or passwords. Instead, it relies on a cryptographic exchange with the server. Integrated Windows authentication can use either the Kerberos 5 authentication protocol or its own challenge/response protocol.
If you have already logged on to Windows, Integrated Windows authentication uses your logon information to authenticate you, so it won’t prompt you for a username and password. If you haven’t already logged on to Windows, Integrated Windows authentication continues to prompt you for a valid username and password until you either supply the proper information or close the dialog box. The disadvantage of Integrated Windows authentication is that it works only with IE 2.0 or later. Netscape Navigator and other browsers don’t support this authentication method. Also, Integrated Windows authentication doesn’t work with HTTP proxy. Ideally, you want to use this authentication method in an intranet environment, where you can control the types of browsers that your network users use.
You can use server and client certificates to authenticate users on your Web site before they transmit confidential information. You can map a client certificate to a Windows user account so that the user can log on automatically, without supplying a username and password. You can map either one client certificate to one Windows account, or many certificates to one account.
Anonymous FTP Authentication
The Anonymous FTP authentication concept is identical to that of Anonymous authentication for the Web. Users can connect to your FTP server without providing usernames and passwords because IIS uses IUSR_computername to provide anonymous access. You can always specify a different account for anonymous access. You can also restrict access to resources using NTFS permissions. Note that even if you enable Basic authentication, Anonymous authentication always takes precedence, and IIS will use it first.
Basic FTP Authentication
The Basic FTP authentication concept is identical to that of Basic authentication for the Web. Basic FTP authentication prompts FTP users for a username and password, which transmit in clear text. Some administrators force users to use Anonymous FTP authentication because it doesn't prompt users for passwords and doesn't, therefore, expose domain passwords to others. The administrators control user access through NTFS permissions.
Table 1 shows a summary of IIS 5.0 authentication methods.