Sign in to follow this  
Prim

[web] IIS 5.1 - Basic Authentication Security

Recommended Posts

I'm using WindowsXP Pro with IIS 5.1. I've recently configured an IIS (HTTP only) webserver using the IISLockdown tool and disabling several features. My last webpage used "Asp" to password protect certian pages, however I've disabled "Asp" scripting on my new site. I've had a look at the "Basic Authentication" feature that IIS comes with, and I've read the little warning message that pops up if you select it. What I'm wondering is... if suppose a hacker did monitor the unencrypted messages that were sent, and happen'd to discover the password, what all could the hacker do? If all the hacker could do is access the site, then I'm fine with Basic Authentication. But if the hacker could gain access to my local machine and start installing software, then thats a big problem. Later -Prim

Share this post


Link to post
Share on other sites
At the best, they'll be able to access your protected website. Any resources that are accessible via the website would potentially be vulnerable too. The only way I see a hacker being able to access your files or machine is to use an unpatched exploit in IIS (for which there are plenty, I've heard) or another service you have open on the website to then run arbitary code on your machine. I'm no security expert though, so perhaps others can shed more light on this, but this is what I learned working for an IT company. Bear in mind too that basic authentication is sent in clear text, so don't use it on a network you don't feel safe on.

It goes without saying though, if your system is going to be 'live' on the net, firewall it up and ensure your IIS and windows is patched up to date.

Share this post


Link to post
Share on other sites
You'll need to create a user account on the server which can then be used to log on locally. Basic autentication basically uses the web browser as a way of enabling a temporary login to IIS resources. As IIS works under Windows 2000+, it uses Active Directory for it's authentication, meaning you'll have to create user acocunts for each person or group you wish to allow access. Each user needs certain rights to be explictly set - Access this computer from the network and Log on locally.

For more info, look at this page and this one. The pages I linked are useful in explaining the differences in the authenication methods as well as setting them up on your server.

I hope this was useful to you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this