IIS 6 Administration

When users try to access web or FTP sites on IIS, they are “authenticated” to determine whether they should be allowed access to the content on the site. Authentication complements permissions as an essential part of securing any web or FTP site: it specifies who can access the site. Once users are authenticated for site access, permissions then determine which resources on the site they can access and what actions they can perform on those resources (view, modify, delete, upload, and so on).

IIS 6 offers a number of ways to authenticate users, including:

All five of these authentication methods are available for websites on IIS, while only anonymous access and Basic Authentication are available for FTP sites.

FTP is inherently insecure because both the authentication process and data transfer occur in unencrypted form, so anyone sniffing the network can read your data and discover your password. If you must use FTP for transferring sensitive files over the Internet, consider using it over a tunneled connection using Point-to-Point Tunneling Protocol (PPTP) or IPSec protocol. A good alternative to FTP for secure file transfer is WebDAV, which can use SSL and is discussed in Chapter 16.

Configuring Authentication Methods

For websites, authentication methods can be configured at four levels:

All five authentication methods are available for each of these levels. If you wanted to, you could make a site available to anonymous users but restrict access to a virtual directory within the site using Integrated Windows Authentication and control access to a single page within the site using .NET Passport—but this would make things this complicated!

Figure 10-4: Directory Security tab for Default Web Site

The usual website properties inheritance applies to configuring authentication methods. For example, if you enable Basic Authentication for a website and create a virtual directory within that site, it will automatically have Basic Authentication enabled as well, as will any individual pages within the site. You can override inheritance by configuring different authentication methods for files within directories or directories within sites.

One quirk to note concerning website property inheritance is that if you create a new website using the Web Site Creation Wizard, the authentication methods enabled for this new site will always be anonymous access and Integrated Windows Authentication, regardless of what authentication methods are configured on the Web Sites node. (If you change the authentication methods for the Web Sites node in the console tree, the change will be propagated to all websites on the machine.)

For FTP sites, authentication can only be configured at two levels:

This means virtual directories and individual files within FTP sites cannot be secured with authentication; only the sites themselves (or all sites using the FTP Sites node) can be.

Anonymous Access

Anonymous access is designed to allow anonymous users (that is, everyone) access to content on a site. Anonymous access is intended mainly for public sites hosted on web servers directly connected to the Internet. For example, if your company wants to put up a public website with support information for your products, then anonymous access is perfect for this because it allows customers to access the site without any visible authentication process (that is, without needing to enter a userid and password). Anonymous access is therefore suitable for sites where security is not an issue—security from the perspective of who can access your site, that is; even with anonymous access, you still need NTFS and web permissions to control what visitors can do once they’ve gained access to your site!

Anonymous access is enabled by default on the Default Web Site and Default FTP Site. When you create a new website using the Web Site Creation Wizard, you can deselect the Allow Anonymous Access To This Site check box when running the wizard to create a new website that has Integrated Windows Authentication as its only authentication method. When you create a new FTP site using the FTP Site Creation Wizard, however, you don’t have the option of disabling anonymous access but can do this after the site has been created if required.

When anonymous access is configured on a website and a user attempts to connect to your site, IIS assigns the Internet Guest Account (IUSR_ computername) to the connection and uses this account as the security context for granting access to secured resources on the site. IUSR_ computername is a member of the Guests group and its level of access to resources is determined by this membership.

Security Alert! 

Do not make the Internet Guest Account a member of any other group than Guests, and do not change the rights on guests or grant it permissions on any of your network resources, as this can constitute a weakness in your network security.

Enabling Anonymous Access for Websites

To enable anonymous access to a website (or virtual directory or file within a site), click the Edit button in the Authentication and Access Control section on the Directory Security (or File Security) tab (see Figure 10-4 again). Clicking this button opens the Authentication Methods dialog box (Figure 10-5).

Figure 10-5: Configuring authentication methods for a site or directory

As mentioned previously, the Default Web Site has anonymous access and Integrated Windows Authentication enabled by default. When a user tries to connect to this site, IIS first tries to authenticate the user using anonymous access. If anonymous access fails, then the Integrated Windows Authentication method is tried (if you have additional authentication methods configured, see the “Order of Authentication” sidebar for more information). About the only way anonymous access can fail is if you try to change the password of the IUSR_ computername account, which you can do using this dialog box (the box is mainly intended for selecting a different account to use as your Internet Guest Account).

Testing anonymous access to a site such as the Default Web Site is simple. Just open the Authentication Methods dialog box and clear every check box except Enable Anonymous Access. Then, from a separate machine, log on as a network user and open a URL containing the IP address of your IIS machine. You should see the default Under Construction page in your browser and should not be presented with any authentication dialog box.

Security Alert! 

What if you disable all authentication methods for a site by clearing all check boxes on its Authentication Methods dialog box? Browsers trying to access the site will receive the message “HTTP Error 401.2—Unauthorized: Access is denied due to server configuration.” This is a good clue that your site has an authentication configuration problem.

Enabling Anonymous Access for FTP Sites

Enabling anonymous access on FTP sites works a little differently for websites. Here you use the Security Accounts tab of the FTP site properties sheet to configure authentication methods for the site (Figure 10-6).

Order of Authentication

If you have multiple authentication methods configured on an IIS website, virtual directory, or file, then the following rules can determine the order in which these methods are attempted during the authentication process:

  1. If anonymous access is configured, it is attempted first.

  2. If anonymous access fails, is not configured, or is not supported by the client, then other authentication methods are attempted, starting with the most secure method (Windows Integrated Authentication), followed by progressively weaker methods (first Digest Authentication and then Basic Authentication). Each enabled method is then attempted until the client and server can agree on a method, at which time the user's credentials are checked and the client is either authenticated or denied access to the site.

  3. If .NET Passport Authentication is selected, no other methods are available.

    Figure 10-6: Configuring FTP site authentication

For the Default FTP Site, you can see that anonymous access is enabled because the Allow Anonymous Connections check box is selected. What’s not immediately plain from this is that Basic Authentication is also enabled by default. If you also select the Allow Only Anonymous Connections check box, however, you turn off Basic Authentication, and the site allows only anonymous access—that is, users’ credentials will not be checked.

You can test anonymous access for FTP sites by selecting the second check box on the Security Accounts tab of the Default FTP Site. For testing purposes, create a file called welcome.txt in the C:\Inetpub\ftproot directory, the home directory of the Default FTP Site. From another machine, open a command prompt and use the ftp command to connect to the site and display a list of files in the root directory.

Here’s an example of an FTP session. User John Smith connects to an FTP server with address 172.16.11.215 and tries to enter his own credentials (userid and password), which are either stored in Active Directory (in a domain scenario) or on the IIS machine (in a workgroup scenario). Because the server is configured to only allow anonymous access, John’s credentials are denied. He then tries entering “anonymous” (without the quotes) as his userid, and the server responds by saying that he should enter his e-mail address as his password (this is not required—you can enter anything for your anonymous password). John enters his e-mail address, and access is granted to the FTP site.

(Note that when you enter a password, no characters are displayed on the screen.)

C:\> ftp ftp> open 172.16.11.215 Connected to 172.16.11.215. 220 Microsoft FTP Service User (172.16.11.215:(none)): jsmith 331 Password required for johnsmith. Password: 530 User johnsmith cannot log in. Login failed. ftp> user Username anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. welcome.txt 226 Transfer complete. ftp: 13 bytes received in 0.01Seconds 1.30Kbytes/sec. ftp> quit 221 C:\>

You can also test anonymous FTP access by opening the URL ftp://172.16.11.215 (or whatever your machine’s IP address is). The browser should display a Notepad icon for the welcome.txt file. Right-click the file and select Copy To Folder to download the file to your machine.

Категории