|
Previous | Table of Contents | Next |
Requiring Authentication
An authenticated user is a user who logs into an account with a valid user name and password. Once the user logs onto a valid account, he can access any directory where that account has permissions and where the IIS server provides access. As mentioned, this is useful for subscription services or to provide special access for remote employees.
There are three forms of authentication under IIS:
As the administrator, you can enable any of these methods. Initially, a user accesses the server by using the anonymous user account. If the user attempts to access a directory for which the anonymous user account does not have permissions, then the following might happen:
Secure Sockets Layer
SSL is a protocol that secures the transmission of data between web clients and servers by encrypting the data before transmission. IIS supports both SSL versions 2.0 and 3.0. Web browsers must support the SSL protocol to operate in this mode with the web server. Most web browsers today support SSL.
The protocol starts out with a handshake between the client and server that lets them agree on a level of security they will use to encrypt and decrypt information. All HTTP information sent across the line is encrypted, including the addresses (URLs) requested by the client, logon information, and data. Performance slows slightly when using SSL.
To use SSL on the IIS server, you must obtain a certificate from a certification authority (CA) such as Verisign. The steps for doing this are to first generate a key pair and a request file on the IIS server, then submit this to the CA. The CA will then return a certificate that is installed on the server. You then activate SSL on specific directories. Remember that SSL slows performance, so you only need to enable it on directories that contain sensitive information.
SSL and certification procedures are discussed in Chapter 10.
Earlier, it was mentioned that proxy servers allow internal users to safely access the Internet. The process is actually quite involved as pictured in figure 12.12 and outlined below:
Figure 12.12 The Microsoft Proxy Server acts as an intermediary between internal network users and the Internet.
The Proxy Server acts as a gateway and provides some unique services. For example, it hides all internal IP addresses so they are not exposed on the Internet to hackers that might attempt to attack a system.
The Proxy Server blocks unauthorized Internet users from accessing the internal network as follows:
Because the Proxy Server accesses the Internet for all internal users, there is a good chance that it has already made requests and received responses from sites that other users need to access. To improve performance, it caches information from web sites for future use. If a user makes a request for a site that the Proxy Server has in its cache, the Proxy Server fulfills the request from the cache.
The Proxy Server provides CERN-compatible proxy services for all Internet protocols, including HTTP, FTP, RealAudio (streaming audio), VDOLive (streaming video), IRC (Internet Relay Chat), and mail and news protocols.
With support for the WinSock Proxy service included, clients that run Novells IPX/SPX protocols can access the Proxy Server. It is possible to allow nearly every user on an internal network to access the Internet through the Proxy Server.
The Proxy Server can be configured to control outbound traffic based on the users name, the service requested, the port, or the IP domain. In other words, an administrator can strictly control what servers and sites internal users can access on the Internet. For example, the administrator may not want users to access a site that produces an unnecessary load on the Proxy Server, such as a cartoon site.
Secure sessions are supported with the Secure Sockets Layer (SSL) tunneling protocol. Further, secure logons are provided with Windows NT Challenge/Response authentication.
Previous | Table of Contents | Next |