Requiring Authentication

An authenticated user is a user who logs into an account with a valid user name and password. Once the user logs onto a valid account, he can access any directory where that account has permissions and where the IIS server provides access. As mentioned, this is useful for subscription services or to provide special access for remote employees.

There are three forms of authentication under IIS:

•  Basic. This is the least secure logon because passwords are not encrypted for transmission across the wire.

•  Windows NT Challenge/Response. This authentication method is supported by Microsoft Internet Explorer. It protects passwords by using the challenge/response mechanism discussed in the earlier section. This method is recommended in intranet environments or for known users on the Internet who access your server with Microsoft’s web browser.

•  SSL (Secure Sockets Layer). The SSL protocol authenticates users and encrypts all session information across the web link. A security certificate is required for the server. It is discussed further under “Secure Sockets Layer” later in this section.

As the administrator, you can enable any of these methods. Initially, a user accesses the server by using the anonymous user account. If the user attempts to access a directory for which the anonymous user account does not have permissions, then the following might happen:

•  If Basic authentication is enabled, most web browsers will pop up a logon dialog box so the user can enter a user name and password to access an account that has permissions in the directory.

•  If Windows NT Challenge/Response is enabled and the user is running a web browser that supports Windows NT Challenge/Response, then the browser and server will automatically perform a user authentication with the user’s current credentials. A logon screen may appear if these credentials are not available.

Secure Sockets Layer

SSL is a protocol that secures the transmission of data between web clients and servers by encrypting the data before transmission. IIS supports both SSL versions 2.0 and 3.0. Web browsers must support the SSL protocol to operate in this mode with the web server. Most web browsers today support SSL.

The protocol starts out with a handshake between the client and server that lets them agree on a level of security they will use to encrypt and decrypt information. All HTTP information sent across the line is encrypted, including the addresses (URLs) requested by the client, logon information, and data. Performance slows slightly when using SSL.

To use SSL on the IIS server, you must obtain a certificate from a certification authority (CA) such as Verisign. The steps for doing this are to first generate a key pair and a request file on the IIS server, then submit this to the CA. The CA will then return a certificate that is installed on the server. You then activate SSL on specific directories. Remember that SSL slows performance, so you only need to enable it on directories that contain sensitive information.

SSL and certification procedures are discussed in Chapter 10.

Microsoft Proxy Server

Earlier, it was mentioned that proxy servers allow internal users to safely access the Internet. The process is actually quite involved as pictured in figure 12.12 and outlined below:

Figure 12.12  The Microsoft Proxy Server acts as an intermediary between internal network users and the Internet.

1.  The proxy server intercepts request from internal users that are directed to Internet servers.

2.  It repackages the request by inserting its own address as the source address, then forwards the request to the destination web server.

3.  When the web server returns a response, it sends the response to the proxy server.

4.  The Proxy Server ensures that the response is appropriate, then forwards it to the internal user.

The Proxy Server acts as a gateway and provides some unique services. For example, it hides all internal IP addresses so they are not exposed on the Internet to hackers that might attempt to attack a system.

The Proxy Server blocks unauthorized Internet users from accessing the internal network as follows:

•  Any packets that arrive at the server that are not a response to a previous request from an internal user are dropped.

Because the Proxy Server accesses the Internet for all internal users, there is a good chance that it has already made requests and received responses from sites that other users need to access. To improve performance, it caches information from web sites for future use. If a user makes a request for a site that the Proxy Server has in its cache, the Proxy Server fulfills the request from the cache.

The Proxy Server provides CERN-compatible proxy services for all Internet protocols, including HTTP, FTP, RealAudio (streaming audio), VDOLive (streaming video), IRC (Internet Relay Chat), and mail and news protocols.

With support for the WinSock Proxy service included, clients that run Novell’s IPX/SPX protocols can access the Proxy Server. It is possible to allow nearly every user on an internal network to access the Internet through the Proxy Server.

The Proxy Server can be configured to control outbound traffic based on the user’s name, the service requested, the port, or the IP domain. In other words, an administrator can strictly control what servers and sites internal users can access on the Internet. For example, the administrator may not want users to access a site that produces an unnecessary load on the Proxy Server, such as a cartoon site.

Secure sessions are supported with the Secure Sockets Layer (SSL) tunneling protocol. Further, secure logons are provided with Windows NT Challenge/Response authentication.