Tutorial Sections:
Basic Authentication
Cookie Authentication
NTLM / Integrated windows Authentication
ISAPI Authentication Filters
************************************************************************************
Basic Authentication:
Basic authentication is a standard which nearly all browsers support. When you access a site and you see a standard popup window which asks for your username and password, your are using basic authentication. An example from Internet Explorer can be found below.
How to configure in IIS:
Open the MMC and select the site or directory you wish to protect
Right click and select properties on that site / directory
Select the directory security tab
Click the "edit" button on authentication control
Enable basic authentication
Now your site is setup to support basic authentication you need to change the NTFS permissions for the directory you want to protect and add any users or groups you wish to have access
When IUSR_MACHINENAME does not have access to a directory or you disable anonymous access the basic authentication windows will popup
Advantages:
Requires no additional software
Disadvantages:
Choosing basic authentication in conjunction with NT users can be dangerous, the reason is that the username and password are sent in plain text. If someone maliciously acquires an NT username and password they will have rights on the server and can do damage.
The basic authentication login box is generated by the web browser, as such you can not control the look and feel of this dialog
This requires that you create NT users and groups for all web site users. This can be difficult to administer, particularly with large number of users.
************************************************************************************
Cookie Authentication:
Cookie authentication makes use of functionality at the scripting level to provide user authentication.
How to configure in IIS:
This does not require specific IIS server configuration but rather ASP script configuration
The following code would need to be placed at the top of each page you wanted to protect:
<% If Session("login") = FALSE Then Response.Redirect "LoginPage.asp" Else Response.Write "You are logged in" End If %>
The following code is an example of a simple login form:
<% if request.form("password") = "yourpass" then session("login") = TRUE end if %>
<form method="POST" action="login.asp"
<input type="text" name="password" size="20"><input type="submit" value="login" name="login"></p>
</form>
This code could be expanded to tie into a database and track usernames as well as passwords but the concept is the same as this hardcoded sample with a password of "yourpass".
Advantages:
Can use custom designed login form
Can store usernames and passwords independently of NT users
Disadvantages:
This will only protect ASP scripts (not images, html etc)
This requires that users browsers support cookies and have them enabled
protection must be implemented on a per page basis (for example a directory can not be protected)
************************************************************************************
NTLM / Windows Integrated Authentication:
NTLM is similar to basic authentication in that it works with a popup window generated by the browser. The main difference is that the supplied information is encrypted and passed securely to the client. In order to accomplish this the browser must have special functionality.
How to configure in IIS:
Open the MMC and select the site or directory you wish to protect
Right click and select properties on that site / directory
Select the directory security tab
Click the "edit" button on authentication control
Disable basic authentication and enable NTLM / Integrated Windows Authentication
Now your site is setup to support NTLM authentication you need to change the NTFS permissions for the directory you want to protect and add any users or groups you wish to have access
Advantages:
Requires no additional software
Username and password passed securely without using SSL
Disadvantages:
The NTLM authentication login box is generated by the web browser, as such you can not control the look and feel of this dialog
This requires that you create NT users and groups for all web site users. This can be difficult to administer, particularly with large number of users.
Clients must use Internet Explorer (no other web browser supports NTLM)
************************************************************************************
ISAPI Filter Authentication:
The Internet Server Application Programmer Interface provides low level access to the entire web server request and event chain. Because of this it can intercept requests before the web server handles them and provides the greatest authentication flexibility.
How to configure in IIS:
In the MMC the filter needs to be loaded under the ISAPI filters tab under the site properties
This assumes you have a valid authentication filter to load, if not you would first need to develop one using VC++ or purchase a commercial product.
Advantages:
High performance
Can provide flexibility to work with or without cookies and support failing over between them
Independent of the NT user base
Protects all types of files not just ASP scripts
Can support multiple web site on the same server
Disadvantages:
Requires purchase of commercial product or complex development of your own filter
No comments:
Post a Comment