IIS 6 Integrated Security....risks??

IIS 6 Integrated Security....risks??

am 27.11.2007 18:06:04 von rlopez

Hello from Spain,

I have a web server running under IIS 6 on Windows 2003 Standar Edition,
domain controller.
I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on
the same port (80).
The first one is plain HTML site, and I have Anonymous access security
applied to it. Works fine.
The second is an ASP.NET application, and I have Integrated Windows Security
applied to it. I have defined a ApplicationPool to this asp.net application
to run under an especific domain user account. Works fine too. When a user
connects to this application, the web explorer ask for user credentials.

My dude is: Is secure enought this configuration to my asp.net application
??
The server is running on Internet and Intranet at the same time. Some users
connects locally (from the LAN) and others connects over Internet to the
asp.net application sending their credentials.
As far as I know the credentials are sent encrypted??, but the pages
themselves are not encrypted, to do this i nedd an SSL connection?

Thanks a lot.

--

------------------------------------------------------------ ----------------
---
Roberto López
------------------------------------------------------------ ----------------
---

Re: IIS 6 Integrated Security....risks??

am 28.11.2007 00:25:38 von David Wang

On Nov 27, 9:06 am, "Roberto L=F3pez" wrote:
> Hello from Spain,
>
> I have a web server running under IIS 6 on Windows 2003 Standar Edition,
> domain controller.
> I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on
> the same port (80).
> The first one is plain HTML site, and I have Anonymous access security
> applied to it. Works fine.
> The second is an ASP.NET application, and I have Integrated Windows Securi=
ty
> applied to it. I have defined a ApplicationPool to this asp.net applicatio=
n
> to run under an especific domain user account. Works fine too. When a user=

> connects to this application, the web explorer ask for user credentials.
>
> My dude is: Is secure enought this configuration to my asp.net application=

> ??
> The server is running on Internet and Intranet at the same time. Some user=
s
> connects locally (from the LAN) and others connects over Internet to the
> asp.net application sending their credentials.
> As far as I know the credentials are sent encrypted??, but the pages
> themselves are not encrypted, to do this i nedd an SSL connection?
>
> Thanks a lot.
>
> --
>
> ------------------------------------------------------------ --------------=
---
> ---
> Roberto L=F3pez
> ------------------------------------------------------------ --------------=
---
> ---


You must define what you want to secure before you talk about how to
secure things. Some people think that they toss everything under SSL
and it is all "secured", but that misses the point. You still don't
know what you want to protect, so how do you know it's safe? You only
know you did something secure, but is it sufficient? And until you
know that, you can't even start thinking about risk because you have
no defined object whose security is being traded-off along some
unknown metric.

Is there data being passed on those web pages which require securing?
Is the authentication protocol's assumptions and premises sufficient
for your security requirements?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS 6 Integrated Security....risks??

am 28.11.2007 13:54:46 von rlopez

"David Wang" escribió en el mensaje
news:81a3a2b0-e6d1-4f22-aeb6-b88a81288bfc@i29g2000prf.google groups.com...
On Nov 27, 9:06 am, "Roberto López" wrote:
> Hello from Spain,
>
> I have a web server running under IIS 6 on Windows 2003 Standar Edition,
> domain controller.
> I have 2 "sites" (web pages really, not IIS 6 Web Sites) running on it on
> the same port (80).
> The first one is plain HTML site, and I have Anonymous access security
> applied to it. Works fine.
> The second is an ASP.NET application, and I have Integrated Windows
Security
> applied to it. I have defined a ApplicationPool to this asp.net
application
> to run under an especific domain user account. Works fine too. When a user
> connects to this application, the web explorer ask for user credentials.
>
> My dude is: Is secure enought this configuration to my asp.net application
> ??
> The server is running on Internet and Intranet at the same time. Some
users
> connects locally (from the LAN) and others connects over Internet to the
> asp.net application sending their credentials.
> As far as I know the credentials are sent encrypted??, but the pages
> themselves are not encrypted, to do this i nedd an SSL connection?
>
> Thanks a lot.
>
> --
>
> ------------------------------------------------------------ --------------
---
> ---
> Roberto López
> ------------------------------------------------------------ --------------
---
> ---


You must define what you want to secure before you talk about how to
secure things. Some people think that they toss everything under SSL
and it is all "secured", but that misses the point. You still don't
know what you want to protect, so how do you know it's safe? You only
know you did something secure, but is it sufficient? And until you
know that, you can't even start thinking about risk because you have
no defined object whose security is being traded-off along some
unknown metric.

Is there data being passed on those web pages which require securing?
Is the authentication protocol's assumptions and premises sufficient
for your security requirements?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Hello,
My first concern is to ensure that the domain server and all data on it is
sure. And the user names and passwords are secured.
We do not want users to have to write name and password a lot of times. And
we do not want that users have many different names and passwords to
remember.
The data that is being passed on those web pages needs to be protected too.
I think I need SSL to this?

Thanks.

Re: IIS 6 Integrated Security....risks??

am 29.11.2007 03:40:28 von Ken Schaefer

"Roberto López" wrote in message
news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
> Hello,
> My first concern is to ensure that the domain server and all data on it is
> sure.

Integrated Windows Authentication does not secure your server, or the data
on it.

> And the user names and passwords are secured.

Windows already stores usernames and passwords securely. You need to protect
these "in transit", and also to ensure that user's do not disclose them to
others

> We do not want users to have to write name and password a lot of times.

Write it where? You mean enter them?

> And
> we do not want that users have many different names and passwords to
> remember.

So, you need a single authentication store - something like Active
Directory. IWA doesn't help with this per se, because other authentication
mechanisms (like Basic or Digest Auth) can also use AD acconts.


> The data that is being passed on those web pages needs to be protected
> too.
> I think I need SSL to this?

Yes - SSL/TLS is one technology you can use for this. Or IPSec is another.

Cheers
Ken

Re: IIS 6 Integrated Security....risks??

am 29.11.2007 13:17:12 von rlopez

"Ken Schaefer" escribió en el mensaje
news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl...
>
> "Roberto López" wrote in message
> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
> > Hello,
> > My first concern is to ensure that the domain server and all data on it
is
> > sure.
>
> Integrated Windows Authentication does not secure your server, or the data
> on it.
>
> > And the user names and passwords are secured.
>
> Windows already stores usernames and passwords securely. You need to
protect
> these "in transit", and also to ensure that user's do not disclose them to
> others

But, with Integrated Windows Autentication the user name and password, as
far as I know, are sent encrypted?

> > We do not want users to have to write name and password a lot of times.
>
> Write it where? You mean enter them?

Yes, we do not want a lot of forms to enter "user and password" to access
asp.net application.

> > And
> > we do not want that users have many different names and passwords to
> > remember.
>
> So, you need a single authentication store - something like Active
> Directory. IWA doesn't help with this per se, because other authentication
> mechanisms (like Basic or Digest Auth) can also use AD acconts.
>
>
> > The data that is being passed on those web pages needs to be protected
> > too.
> > I think I need SSL to this?
>
> Yes - SSL/TLS is one technology you can use for this. Or IPSec is another.
>
> Cheers
> Ken
>

Thanks a lot.

Re: IIS 6 Integrated Security....risks??

am 29.11.2007 16:31:25 von Roger Abell

Hi Roberto,

My first reaction was like David's, that you must have your
priorities as to what you want to protect. Your reply included
that you want to protect the domain.

So, I come at an answer to you from a somewhat different
place, as I am a Window infrastructure person, not specifically
and IIS guru. Other Active Directory experts, and myself, will
(probably always) be seen to advise that one never run IIS on
a domain controller, and that you always keep your domain
controller entirely inside your private network (i.e. not on the
edge). Those are two very significant steps one can take in
order to increase the security of one's domain infrastructure,
but they appear to be things you have not done.
You have also expressed interest in protecting the data that
is sent by IIS and in protecting the accounts.

Please understand, this is not saying that it is wrong or that
it is guaranteed unsafe, just that it brings risks to your entire
domain infrastructure that you could avoid and for which you
take on the need for added precautions.
This certainly can be done.
It is sort of like your having bought a big safe for your home
and put your valuables inside. But, after a while your wife
convinces you that she really, really misses seeing her most
prized diamond necklace so you have a window installed on
the side of the safe so that she can look at it. The result is
that the most valued part of the content of the safe is placed
at an unneeded weak spot in the protection. You need to make
that window out of very thick glass.

To protect the data sent you should have SSL3/TLS required
as others have advised.

To protect the accounts is however a little tricky. Apparently
people are logged in with these accounts when not inside your
network? so that these might travel over the internet to your
IIS's public interface? One problem with using Windows
integrated authentication is that whether it is used also will
depend on how the IE browser is configured, and it is too easy
for people to let IE send IWA responses to any other webserver,
which is generally considered bad and a risk. The client boxes
would need to be configured to send IWA responses only to
known machines. When done correctly IWA is possibly
better than is basic wrapped within SSL3/TLS, but it also does
imply that their domain accounts are being used on machines
that are not within the internal network, which itself has risks
for those accounts and the privacy/integrity of what those accounts
can access in the domain infrastructure.

Roger


"Roberto López" wrote in message
news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl...
>
>
> "Ken Schaefer" escribió en el mensaje
> news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl...
>>
>> "Roberto López" wrote in message
>> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
>> > Hello,
>> > My first concern is to ensure that the domain server and all data on it
> is
>> > sure.
>>
>> Integrated Windows Authentication does not secure your server, or the
>> data
>> on it.
>>
>> > And the user names and passwords are secured.
>>
>> Windows already stores usernames and passwords securely. You need to
> protect
>> these "in transit", and also to ensure that user's do not disclose them
>> to
>> others
>
> But, with Integrated Windows Autentication the user name and password, as
> far as I know, are sent encrypted?
>
>> > We do not want users to have to write name and password a lot of times.
>>
>> Write it where? You mean enter them?
>
> Yes, we do not want a lot of forms to enter "user and password" to access
> asp.net application.
>
>> > And
>> > we do not want that users have many different names and passwords to
>> > remember.
>>
>> So, you need a single authentication store - something like Active
>> Directory. IWA doesn't help with this per se, because other
>> authentication
>> mechanisms (like Basic or Digest Auth) can also use AD acconts.
>>
>>
>> > The data that is being passed on those web pages needs to be protected
>> > too.
>> > I think I need SSL to this?
>>
>> Yes - SSL/TLS is one technology you can use for this. Or IPSec is
>> another.
>>
>> Cheers
>> Ken
>>
>
> Thanks a lot.
>
>

Re: IIS 6 Integrated Security....risks??

am 29.11.2007 19:16:38 von rlopez

Thanks a lot for all your comments.
Really I know this is not the best configuration to have a web server
running (with access from Internet) but the hardware infrastructure does not
depend on my.
What I would like is to have is a web server "isolated" from the LAN, and
obviously not a domain controller. But this is what I have.

So it is obvious that I need SSL or maybe, VPN connections to the server to
protect data transmision.

Thanks.


"Roger Abell [MVP]" escribió en el mensaje
news:uRlQozpMIHA.280@TK2MSFTNGP03.phx.gbl...
> Hi Roberto,
>
> My first reaction was like David's, that you must have your
> priorities as to what you want to protect. Your reply included
> that you want to protect the domain.
>
> So, I come at an answer to you from a somewhat different
> place, as I am a Window infrastructure person, not specifically
> and IIS guru. Other Active Directory experts, and myself, will
> (probably always) be seen to advise that one never run IIS on
> a domain controller, and that you always keep your domain
> controller entirely inside your private network (i.e. not on the
> edge). Those are two very significant steps one can take in
> order to increase the security of one's domain infrastructure,
> but they appear to be things you have not done.
> You have also expressed interest in protecting the data that
> is sent by IIS and in protecting the accounts.
>
> Please understand, this is not saying that it is wrong or that
> it is guaranteed unsafe, just that it brings risks to your entire
> domain infrastructure that you could avoid and for which you
> take on the need for added precautions.
> This certainly can be done.
> It is sort of like your having bought a big safe for your home
> and put your valuables inside. But, after a while your wife
> convinces you that she really, really misses seeing her most
> prized diamond necklace so you have a window installed on
> the side of the safe so that she can look at it. The result is
> that the most valued part of the content of the safe is placed
> at an unneeded weak spot in the protection. You need to make
> that window out of very thick glass.
>
> To protect the data sent you should have SSL3/TLS required
> as others have advised.
>
> To protect the accounts is however a little tricky. Apparently
> people are logged in with these accounts when not inside your
> network? so that these might travel over the internet to your
> IIS's public interface? One problem with using Windows
> integrated authentication is that whether it is used also will
> depend on how the IE browser is configured, and it is too easy
> for people to let IE send IWA responses to any other webserver,
> which is generally considered bad and a risk. The client boxes
> would need to be configured to send IWA responses only to
> known machines. When done correctly IWA is possibly
> better than is basic wrapped within SSL3/TLS, but it also does
> imply that their domain accounts are being used on machines
> that are not within the internal network, which itself has risks
> for those accounts and the privacy/integrity of what those accounts
> can access in the domain infrastructure.
>
> Roger
>
>
> "Roberto López" wrote in message
> news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl...
> >
> >
> > "Ken Schaefer" escribió en el mensaje
> > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl...
> >>
> >> "Roberto López" wrote in message
> >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
> >> > Hello,
> >> > My first concern is to ensure that the domain server and all data on
it
> > is
> >> > sure.
> >>
> >> Integrated Windows Authentication does not secure your server, or the
> >> data
> >> on it.
> >>
> >> > And the user names and passwords are secured.
> >>
> >> Windows already stores usernames and passwords securely. You need to
> > protect
> >> these "in transit", and also to ensure that user's do not disclose them
> >> to
> >> others
> >
> > But, with Integrated Windows Autentication the user name and password,
as
> > far as I know, are sent encrypted?
> >
> >> > We do not want users to have to write name and password a lot of
times.
> >>
> >> Write it where? You mean enter them?
> >
> > Yes, we do not want a lot of forms to enter "user and password" to
access
> > asp.net application.
> >
> >> > And
> >> > we do not want that users have many different names and passwords to
> >> > remember.
> >>
> >> So, you need a single authentication store - something like Active
> >> Directory. IWA doesn't help with this per se, because other
> >> authentication
> >> mechanisms (like Basic or Digest Auth) can also use AD acconts.
> >>
> >>
> >> > The data that is being passed on those web pages needs to be
protected
> >> > too.
> >> > I think I need SSL to this?
> >>
> >> Yes - SSL/TLS is one technology you can use for this. Or IPSec is
> >> another.
> >>
> >> Cheers
> >> Ken
> >>
> >
> > Thanks a lot.
> >
> >
>
>

Re: IIS 6 Integrated Security....risks??

am 30.11.2007 03:20:46 von Ken Schaefer

"Roberto López" wrote in message
news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl...
>
>
> "Ken Schaefer" escribió en el mensaje
> news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl...
>>
>> "Roberto López" wrote in message
>> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
>> > Hello,
>> > My first concern is to ensure that the domain server and all data on it
> is
>> > sure.
>>
>> Integrated Windows Authentication does not secure your server, or the
>> data
>> on it.
>>
>> > And the user names and passwords are secured.
>>
>> Windows already stores usernames and passwords securely. You need to
> protect
>> these "in transit", and also to ensure that user's do not disclose them
>> to
>> others
>
> But, with Integrated Windows Autentication the user name and password, as
> far as I know, are sent encrypted?

Hi,

With NTLM authentication, the password is hashed using the NTLM v2
mechanism.

With Kerberos Authentication, the client sends an authenticator and service
ticket. The username is not encypted, but the password is never transmitted
to the server in question (as the trusted third party - the KDC/Domain
Controller - knows all the passwords).

Cheers
Ken

Re: IIS 6 Integrated Security....risks??

am 30.11.2007 18:20:16 von rlopez

Thanks a lot for your comments.
I have learned a lot with this post.



"Ken Schaefer" escribió en el mensaje
news:O%23ySUfvMIHA.484@TK2MSFTNGP06.phx.gbl...
>
> "Roberto López" wrote in message
> news:O%23GrfGoMIHA.4480@TK2MSFTNGP06.phx.gbl...
> >
> >
> > "Ken Schaefer" escribió en el mensaje
> > news:OE0nqFjMIHA.4880@TK2MSFTNGP03.phx.gbl...
> >>
> >> "Roberto López" wrote in message
> >> news:uqen02bMIHA.5160@TK2MSFTNGP05.phx.gbl...
> >> > Hello,
> >> > My first concern is to ensure that the domain server and all data on
it
> > is
> >> > sure.
> >>
> >> Integrated Windows Authentication does not secure your server, or the
> >> data
> >> on it.
> >>
> >> > And the user names and passwords are secured.
> >>
> >> Windows already stores usernames and passwords securely. You need to
> > protect
> >> these "in transit", and also to ensure that user's do not disclose them
> >> to
> >> others
> >
> > But, with Integrated Windows Autentication the user name and password,
as
> > far as I know, are sent encrypted?
>
> Hi,
>
> With NTLM authentication, the password is hashed using the NTLM v2
> mechanism.
>
> With Kerberos Authentication, the client sends an authenticator and
service
> ticket. The username is not encypted, but the password is never
transmitted
> to the server in question (as the trusted third party - the KDC/Domain
> Controller - knows all the passwords).
>
> Cheers
> Ken
>