Web servers commonly are deployed in a wide variety
of configurations. Some servers provide content that should be directly
accessible to the public through the Internet. Others contain Web
application content that should be available only to a limited set of
users. Web server administration must have the ability to define which
users can connect to a Web service. After users have proven their
identity, rules must be in place for determining which content is
available to them.
In
this article, you’ll learn about how you can configure authentication
and authorization for protecting Web content in IIS. Due to the many
security standards and approaches for Web services, it is important to
understand how to select the most appropriate one for a given scenario.
You will also learn how you can use features such as IP Address And Domain Restrictions and .NET Trust Levels to further secure your Web services.
Managing IIS Authentication
Authentication
refers to the process by which a user or computer proves its identity
for security purposes. The most familiar method is through a logon or
username and an associated password. When working with Web servers such
as IIS, authentication settings and options determine how users will
provide their credentials to access content stored on the Web server.
IIS provides numerous methods for securing content. By default, content
stored in new Web sites, Web applications, and virtual directories will
allow access to anonymous users. This means that users will not be
required to provide any authentication information to retrieve the
data. In this section, you’ll learn about the authentication modes
supported by IIS and how you can configure them.
Understanding Anonymous Authentication
For
many types of Web servers, users should be able to access at least a
default page or some content without being required to provide
authentication information. When you enable the Web Server (IIS) role
by using default options, anonymous authentication is enabled for the
Default Web Site and its associated Web content. Anonymous
authentication is designed to provide access to content that should be
available to all users who can connect to the Web server. An example is
the default IIS Web page for Default Web Site. When IIS receives a
request for content, it automatically uses a specific identity to
attempt to complete the request. By default, anonymous authentication
uses the IUSR built-in account. (See Figure 1.)
As long as this user account has permission to access the content
(based on NTFS permissions), the request will be processed
automatically.
It is also possible to use the Set
command to provide a username and password for a different account.
This is useful when you plan to use different NTFS permissions for
different Web content. Finally, there is an option to use the
Application Pool Identity. This setting instructs IIS to use the same
credentials that are applied to the application pool used by the Web
site or Web application.
If
all the content on the Web server should be available to all users,
then no further authentication configuration is required. More
commonly, however, you will want to restrict access to at least some
content on the server. For example, an intranet server might include a
Web application or virtual directory that is intended for only members
of the Human Resources department. To restrict access to content, you
can use NTFS permissions. If the credentials that are configured for
the anonymous authentication option are insufficient to access the
content, it will not be returned to the user automatically. Generally,
enable one of the other available authentication methods so that
authorized users can access the content.
Note: Simplifying content protection
On
all Web servers, some content exists that should not be accessible to
any users. Examples include contents of system folders (such as the
Windows system folder) and application source code stored within Web
content folders. You can use Deny NTFS permissions to ensure that users
cannot use anonymous credentials to access this content. If you are
using multiple accounts for anonymous authentication of different
content, it is best to create a group that contains these accounts. You
can then deny permission to the group to simplify administration.