Abstract
The chapter focuses on the authentication methods supported in Internet Information Services (IIS) 6.0. It explores some radical changes that Microsoft has made to its Web server in Windows Server 2003 and their impact on the overall security quality of the IIS Web server. Windows Server 2003 is Microsoft's first enterprise operating system (OS) that carries the label “secure by default.” But Internet Information Services (IIS) is now an optional service and is not installed by default on a Windows Server 2003 installation. In a Windows Server 2003 domain, administrators can even prevent the installation of IIS 6.0 using the GPO setting “Prevent IIS installation” that is located in the Computer Configuration\\Administrative Templates\\Windows Components Internet Information Server GPO container. Perhaps the most fundamental change that makes IIS 6.0 more secure by default is its brand-new architecture. The key characteristic of this architecture is isolation. IIS 6.0 supports an operation mode that is known as worker process isolation mode (WPIM), which enables different Web sites and their worker processes) that are running on the same physical server to operate completely independent of one another. The chapter details the three HTTP authentication processes that are supported by Microsoft's Web server: basic and digest authentication and certificate-based authentication based on the secure sockets layer (SSL) and transport layer security (TLS) protocols. This explanation also includes the implication of Kerberos and NTLM protocols into the IIS authentication exchange and configuration; and the passport- based authentication.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call