293_CYA_IIS6_05.qxd 4/28/04 11:20 AM Page 115
Chapter 5 Advanced Web Server Security Configuration
In this Chapter Now that you are familiar with core web security features in IIS 6.0 such as web service extensions and MIME map settings, we will examine other security options in IIS. We will take an in-depth look at the authentication mechanisms and how IIS user accounts are used. Additionally, we will look at some not-so-often-discussed configuration options that can protect your web applications. Configuring Authentication Configuring IIS User Accounts Configuring URLScan Configuring Your Server to Use SSL Configuring URL Authorization with the Authorization Manager Configuring Custom Error Messages Securing Include Files Disabling Parent Paths Configuring IP Address, TCP Port and Host-Header Combinations
By the end of this chapter you should be familiar with all aspects of the IIS request processing cycle and how settings in IIS can be used to secure your application against various forms of attack. Additional material on the configuration options and their relationship to one another can be found online at www.syngress.com/solutions.
115 293_CYA_IIS6_05.qxd 4/28/04 11:20 AM Page 116
116 Chapter 5 • Advanced Web Server Security Configuration Configuring Authentication When IIS 6.0 attempts to read a resource from the server’s disk, for example, a Hypertext Markup Language (HTML) page, an image, or an active server pages (ASP)/ASP.NET page, it impersonates a Windows user account.That user account’s permissions are checked against the NT file system (NTFS) Access Control List (ACL) for the file in question to determine whether the requested action is permitted. In the special case where the end user is not required to supply credentials, IIS 6.0 imper- sonates the preconfigured “Anonymous User” account.
BY THE BOOK… IIS provides 7 different authentication mechanisms: Anonymous Authentication Users do not have to supply credentials and a fixed user account is impersonated. Basic Authentication Users are prompted to supply a username and password, which are sent unencrypted across the network. Basic authentication is supported by almost all browsers. Digest Authentication A hash of the user’s password is sent across the network. Digest authentication requires domain controllers to be running Windows 2000 or Windows 2003. Digest authentication requires user passwords to be stored using reversible encryption in Active Directory (AD). Advanced Digest Authentication This is similar to digest authentication in that the same hash process is used for sending the user’s password from client to server. With advanced digest authentication however, the user’s password is already stored as a Message Digest (MD)5 hash in Active Directory, obviating the need to store the password using reversible encryption. Advanced digest authentication requires a Windows 2003 functional level domain. Integrated Windows Authentication (IWA) Uses hashing technology to send the user’s credentials across the network. IWA offers two authentication systems; NTLM v2 for legacy clients, and Kerberos for Internet Explorer v5 and later. IIS 6.0 supports both NTLM v2 and Kerberos. IWA is the default authentication mecha- nism in IIS 6.0. 293_CYA_IIS6_05.qxd 4/28/04 11:20 AM Page 117
Advanced Web Server Security Configuration • Chapter 5 117