Web Security Features
A key concern of Internet site managers is
the security of their site and the critical business information on it. The same
protection available with Microsoft® Windows NT® Server for
files and applications is now available for Microsoft Internet Information Server 4.0
(IIS), with no extra work for system administrators.
IIS 4.0 helps you:
- Keep documents and
applications secure.
- Identify and authenticate
users.
- Keep data confidential and
secure over the network.
KEEP DOCUMENTS AND
APPLICATIONS SECURE
IIS 4.0 is integrated with Windows NT Server file security to provide the highest levels
of protection.
- Every file and application
must be accessed by a Windows NT user account--either the IIS anonymous user or user that
has been authenticated to the server.
- Windows NT tracks users by
a unique security identification, not user name. So if a user account is deleted, and a
new one created with the same name, the new user can't inherit any permissions belonging
to the old account. Because the Windows NT directory is also integrated with the file
system security manager, when a user or group account is deleted, all associated file
permissions are deleted.
- File permissions can be
easily applied using familiar tools like the Windows File Explorer. Users and groups are
managed graphically. Web permissions can also be applied from within Microsoft Front Page.
IDENTIFY AND
AUTHENTICATE USERS
Organizations need to provide secure access to information on their networks and servers.
Therefore, user authentication is an important aspect of a Web server. Windows NT Server
and IIS offer administrators a flexible number of options to authenticate a user.
- Windows NT
Challenge/Response
IIS 4.0 provides support for the Windows NT Challenge / Response authentication, which
uses a cryptographic technique to authenticate the password. The actual password is never
sent across the network, so it is impossible for it to be captured by an unauthenticated
source. Challenge / Response is supported by Microsoft Internet Explorer version 2.0 and
higher.
- Basic authentication
Basic Authentication is not as secure as Windows NT Challenge / Response, but Basic
Authentication is supported by almost every Web browser on the market. Basic
authentication sends the user name and password in clear (unencrypted) text that can be
stolen by others on the Internet.
- Digital certificates
Digital certificates give users a secure method of logging on to a Web site without having
to remember logon identifications and passwords. IIS 4.0 goes a step further and provides
two methods for mapping the digital certificates to Windows NT Server user accounts.
- Certificate mapping
This method maps the actual certificate to the Windows NT Server user account and requires
a copy of the certificate. This is an ideal approach when the Web site issues its own
certificates using a certificate server such as Microsoft Certificate Server
that is included in the Windows NT 4.0 Option Pack.
- Wildcard mapping
In this case, the server is not required to possess the certificate and authenticates
based on certain information stored in the certificate such as "SubjectName."
IIS 4.0 also includes an ActiveX component that automates the wildcard mapping using an
Active Server Page. For example, a business could set up an ASP that asks the user if they
wish to map their certificate to their Windows NT Server user account. If the user chooses
to do so, the information in the certificate is mapped to the appropriate Windows NT
Server user account.
- Using digital
certificates programmatically
Client authentication in IIS 4.0 goes beyond pure authentication and access control.
Information in the certificate is exposed to both ASP and ISAPI applications. This allows
developers to create custom ASP and ISAPI applications that can serve personalized
content, control access, or query backend databases based on the information fields in the
client certificate.
KEEP DATA CONFIDENTIAL
AND SECURE OVER THE NETWORK
IIS 4.0 provides privacy, integrity, and authentication in point-to-point communications
through Microsoft's Secure Channel technology.
SECURE SOCKETS LAYER
IIS 4.0 provides support for industry-standard Secure Sockets Layer (SSL) 2.0 and 3.0 for
secure communication as a base feature. Administrators apply Secure Channel services to
their Web site by simply selecting a check box in the IIS Internet Service Manager. A
server certificate is presented to a client so that the client may authenticate the
identity of the IIS 4.0 server. When running SSL, a server is required to have a server
certificate. While it is not necessary, the IIS 4.0 server can also request a client
certificate. SSL takes it from here, negotiating a secure connection with any browser
connecting to the site. This ensures secure communications between client and server.
SERVER GATED CRYPTO
Server Gated Crypto is an extension to the secure sockets layer (SSL) security protocol,
provides a bank's Internet server with the ability to "switch on" 128-bit
encryption if an SGC digital certificate is present. A separate SGC upgrade enables the
client software to query the server for the presence of an SGC digital certificate during
a digital "handshake" with the bank's server. If the client software detects a
digital certificate, the session is established using 128-bit encryption. If a certificate
is not detected, the client and server negotiate the highest level of mutually available
encryption.
Server Gated Crypto
allows international banks to build computer infrastructures based on the Microsoft®
BackOffice® family that interoperate with a range of popular client software,
including Microsoft Internet Explorer 3.02, Internet Explorer 4.0, Microsoft Money 98 and
Netscape Navigator 4.0, no matter where their customers might be.
