I'm using WindowsXP Pro with IIS 5.1. I've recently configured an IIS (HTTP only) webserver using the IISLockdown tool and disabling several features. My last webpage used "Asp" to password protect certian pages, however I've disabled "Asp" scripting on my new site. I've had a look at the "Basic Authentication" feature that IIS comes with, and I've read the little warning message that pops up if you select it. What I'm wondering is... if suppose a hacker did monitor the unencrypted messages that were sent, and happen'd to discover the password, what all could the hacker do? If all the hacker could do is access the site, then I'm fine with Basic Authentication. But if the hacker could gain access to my local machine and start installing software, then thats a big problem. Later -Prim

At the best, they'll be able to access your protected website. Any resources that are accessible via the website would potentially be vulnerable too. The only way I see a hacker being able to access your files or machine is to use an unpatched exploit in IIS (for which there are plenty, I've heard) or another service you have open on the website to then run arbitary code on your machine. I'm no security expert though, so perhaps others can shed more light on this, but this is what I learned working for an IT company. Bear in mind too that basic authentication is sent in clear text, so don't use it on a network you don't feel safe on.

It goes without saying though, if your system is going to be 'live' on the net, firewall it up and ensure your IIS and windows is patched up to date.

Mm'kay, thanks Evolution.

But erm.. now I got a new question... how do I setup a password? [bawling]

All I see for options are... "Realm, Domain"...

You'll need to create a user account on the server which can then be used to log on locally. Basic autentication basically uses the web browser as a way of enabling a temporary login to IIS resources. As IIS works under Windows 2000+, it uses Active Directory for it's authentication, meaning you'll have to create user acocunts for each person or group you wish to allow access. Each user needs certain rights to be explictly set - Access this computer from the network and Log on locally.

For more info, look at this page and this one. The pages I linked are useful in explaining the differences in the authenication methods as well as setting them up on your server.

I hope this was useful to you.