Authentication Methods

[WinHost]

There are several authentication methods available to IIS administrators for controlling access to the server and files. These password authentication methods include Anonymous, Basic, Windows NT Challenge/Response, and digital certificates. In addition to these methods, you can add custom authentication methods by writing ISAPI filters.

Anonymous Access
When Allow Anonymous Access is enabled, users do not supply a username and password to access unprotected resources. Instead, IIS uses a special guest account (typically lUSR_computername) as the logon account and uses this account to open resources for the connected user.



The Internet Guest account IUSR_computername is created during IIS setup, and is part of the Guests and Everyone groups. You should review the file permissions given to these groups to ensure they are appropriate for your anonymous users. You can specifically deny the Internet Guest account access to sensitive information if it is not appropriate for anonymous users.

Anonymous access authentication does not use passwords, thus preventing people from gaining access to sensitive information with fraudulent or illegally obtained passwords. For some situations this can provide the best security.

Basic and Windows NT Challenge/Response Security
These two authentication methods require the user to provide a valid Windows NT username and password to the server before accessing resources.



TTP Basic Authentication
Basic authentication is the standard method as defined in the HTTP specification. Most browsers support it and will prompt the user for a name and password during the authentication process. The user account and password are sent unencrypted jrorn the Web browser to the server.

Using Basic authentication means that you will send your Windows NT user name and password unencrypted over public networks, thus, intruders can easily learn user names and passwords. Microsoft recommends using Basic authentication with SSL encryption, or using the Windows NT Challenge/Response method of password authentication.

Windows NT Challenge/Response

Windows NT Challenge/Response is an authentication method created by Microsoft that does not transmit an actual password across the network. Instead, the server engages in a cryptographic exchange with the Web browser to prove the correctness of the supplied password. This method is significantly safer than HTTP basic authentication. Microsoft Internet Explorer versions 2.0 or later support Windows NT Challenge/Response authentication.

Note Windows NT Challenge/Response authentication takes precedence over Basic authentication. This means that if the user's Web browser supports both methods, it will choose Windows NT Challenge/Response authentication.

Authentication with Certificates

Using the Web server's SSL 3.0 security feature to authenticate users, the server checks the contents of an encrypted digital identification submitted by the user's Web browser during the logon process. Users obtain these digital identifications, called client certificates, from a mutually trusted third-party organization. Client certificates usually contain identifying information about the user and the organization that issued the certificate.

Certificates will be covered in Module 10, Understanding Certificate Server.