Access Control in IIS 6 0 Windows 2003

Access Control in IIS 6. 0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake 9/1/2005

Access Control in IIS 6. 0 • IIS provides security measures to control user access to Web sites and FTP sites. • The two main types of access controls are – IIS features (Web site permissions, IP address restrictions etc), controlled by IIS – NTFS permissions, controlled by the operating system

Ex: Configuring Access Control for a Web site • Configuring IIS features: – Web site permissions • Read, write permission etc. • http: //www. dcsl-uhcl. net/iisprop. jpg – IP address restrictions • Assign access permission (grant or deny) to specific computers, groups of computers, or domains for accessing Web sites, directories, or files • http: //www. dcsl-uhcl. net/iisip. jpg

Contd. : Configuring Access Control for a Web site – Authentication Methods • Anonymous Authentication – Public site (Ex- http: //www. dcsl-uhcl. net/) – Private site (Ex- http: //www. dcsl-uhcl. net/private) • Basic Authentication • Digest Authentication • Advanced Digest authentication • UNC authentication • Integrated Windows Authentication • . NET Passport Authentication • Certificate authentication • http: //www. dcsl-uhcl. net/authentication. GIF

Authentication methods in IIS 6. 0 • Anonymous authentication: Allows everyone to access the public areas of a Web site, without asking for a user name or password. • Basic authentication: Asks users for credentials( user name and password), which are sent unencrypted over the network. • Digest authentication: Sends the passwords across the network as a hash value for additional security. Digest authentication is available only on domains with domain controllers running Windows server operating systems. • Advanced Digest authentication: Identical to Digest authentication, except that it stores the client credentials as a Message Digest (MD 5) hash in Active Directory the domain controller running Windows Server 2003.

Authentication methods in IIS 6. 0 • Integrated Windows authentication: Generates hash values of user names and passwords before sending them over the network. • UNC authentication: Passes users' credentials through to the computer with the Universal Naming Convention (UNC) share. • . NET Passport Authentication: Provides Web site users to create a single sign-in name and password to access all. NET Passport–enabled Web sites and services. . NET Passport– enabled sites rely on the. NET Passport central server to authenticate users. • Certificate authentication: Uses Secure Sockets Layer (SSL) certificates to authenticate servers and clients.

Contd. : Configuring Access Control for a Web site • Configuring NTFS permissions – Assign permissions (read, write, execute etc. ) to groups/users for accessing file and directory – http: //www. dcsl-uhcl. net/filepermission. jpg

Access Control Process

Certificate authentication • Certificates are a form of digital identification for a server. • http: //www. dcsl-uhcl. net/certificate. jpg • Server Certificates – Obtain, Install server certificate and Configuring a List of Trusted Certification Authorities • Client Certificates – Configure the web site to require user’s certificate , who are attempting to access the site in order to protect the server from unauthorized access. – Any user with a valid and trusted client certificate can establish a secure connection and access the resource.

References • http: //www. microsoft. com/technet/prodtechnol/Windows. S erver 2003/Library/IIS/848968 f 3 -baa 0 -46 f 9 -b 1 e 6 ef 81 dd 09 b 015. mspx