Find out more about the various levels of IIS application authentication security.
In today's security-hysteria era, the fact that security is such a broad topic is unfortunate. We don't have a one-stop shopping center for learning security. Even the security experts I know concentrate on only one or two major security areas or levels.
One example of a security level is physical security, in which you lock servers and networking equipment in a room to avoid common access. For example, the government has its own version of the Internet, called the Secret Internet Protocol Routing Network (SIPRNET), in which all network infrastructures, including jacks and cabling, are physically separated from public access networks.
Many security levels exist. For example, with network security, you use firewalls or routers to lock down protected resources. Software and hardware tools can then monitor network activity for suspicious activity. With OS security, you lock down access to files on a network, then grant or deny access to network resources through Group Policy. With application-component–level security, you apply permissions to one part (i.e., component) of a program so that only certain users or user groups can access that component. With application authentication security, you apply an authentication method such as Integrated Windows authentication to IIS so that users are authenticated through their Windows accounts. With authorization security, you apply ASP.NET's role-based security to define roles (e.g., administrator, manager, power user, editor, read-only) within an application. Considering all these security levels, you can understand why IT professionals make security mistakes and frequently compromise resources. You can also understand the existence of so many books dedicated to these high security levels.
Today, I want to talk about the various levels of IIS application authentication security. In IIS 5.0, five basic types of authentication schemes exist: Anonymous, Basic, Digest, Integrated Windows authentication, and Client Certificate Mapping. In IIS 6.0, Microsoft offers the same five schemes and an additional one: .NET Passport.
Anonymous authentication is enabled by default. Many people assume that authenticating anonymously means that authentication doesn't take place at all when users attach themselves to a site. In fact, when IIS applies Anonymous authentication to a site, all users are authenticated under the same anonymous, proxied account.
Basic authentication is part of the HTTP 1.0 specification. In the case of IIS, the browser prompts for a username and password. Using Base64 encoding, the browser then transmits the username and password across HTTP. Because Base64 encoding is simple to decipher, Basic authentication essentially sends the password across the wire in clear text, which is inherently insecure.
Digest authentication overcomes the primary weaknesses of Basic authentication and sends a digest--also known as a hash--instead of a password over the network. Digest authentication requires domain accounts for each user in Active Directory (AD) and supports Microsoft Internet Explorer (IE) 5.0 and later as a client.
Integrated Windows authentication--formerly know as Windows NT LAN Manager (NTLM) authentication and Windows NT Challenge/Response authentication--is enabled by default in IIS. Integrated Windows authentication can use either NTLM or Kerberos 5.0 authentication and works with IE 2.0 and later. If you use it in conjunction with Kerberos, Integrated Windows authentication enables delegation of security credentials but doesn't work through firewalls. Integrated Windows authentication is the best scheme for intranet environments that use Windows.
Client Certificate Mapping uses a client certificate and a public key. A certificate is a digitally signed statement that contains information about an entity and the entity's public key, thus binding together these two pieces of information. A trusted organization (or entity) called a Certification Authority (CA) issues the certificate after the CA verifies the entity's identity. Client Certificate Mapping provides a strong authentication mechanism, but it can't delegate security credentials, doesn't work with all browsers, and requires Secure Sockets Layer/Transport Layer Security (SSL/TLS).
Passport lets the IIS administrator map authentication against Passport accounts. This authentication mechanism provides easy access for millions of Passport users, but implementing Passport can be expensive and cumbersome. In a future commentary, I'll delve into the plumbing of the six authentication methods and broadly cover authorization. For more IIS authentication details, visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconiisauthentication.asp .