Security

Basic Authentication

Basic authentication, part of the HTTP 1.0 specification, is the method supported by most Web servers and Web browsers. With Basic authentication, you can restrict access to files on the server that is running IIS 5.0, by using NTFS security. This requires the user to enter credentials, which allows tracking of who has access to what (based on the user ID). You can use this method in order to restrict access to some parts of the Web server when:

• You cannot guarantee that the user’s browser supports integrated Windows authentication (Microsoft® Internet Explorer 2.0 or later supports this).
• You need to authenticate through a proxy server.

To use Basic authentication, grant each user account the Log on locally user right on the IIS 5.0 server. These accounts should have file access controlled; place them in a user group that has access only to the required files that are on the server.

When using Basic authentication, the browser prompts the user for a user name and password. This information is then transmitted across HTTP where it is lightly scrambled using Base64 encoding (You can get more information about Base64 encoding from the Internet standard RFC1521.) IIS 5.0 takes this user name and password and authenticates the user as the corresponding Windows user.

Keep the following in mind when using Basic authentication:

• Basic authentication will not succeed if the user doesn’t have local logon rights at the Web server. This is the default; it can be changed to a network logon, for example, if you set the LogonMethod appropriately. Refer to the IIS 5.0 online product documentation or the Microsoft® Active Directory™ Service Interfaces (ADSI) sample at the end of this section for more information about LogonMethod.
• A user who can obtain physical access to the host that is running the Web server will be permitted to start an interactive session at the computer. This is because the user has local logon rights. Be sure to set the appropriate NTFS file protections in order to control this.

Basic authentication is inherently insecure. Passwords are encoded but not securely encrypted. As a result, a simple network sniffer can watch for the HTTP authentication headers and Base64 decode this data to obtain the real password. The following figure shows an example of a network sniff.

In the bottom line, shown in the figure above, the Authorization header indicates the use of Basic authentication followed by some Base64 encoded data. If you were to decode the VGVzdFVzZXI6Tm9uZSE= string, you would find this is the TestUser account using a password of None! to access this Web server.

To make passwords more secure, and hence Basic authentication more secure, you can use SSL support in order to establish a secure session. This way, the password will still be encoded, but the HTTP session carrying the data will be encrypted using cryptographically-secure mechanisms. However, keep in mind that SSL negatively affects performance because all data in the requested page must be encrypted.

Basic Authentication Header Flow

The following figure shows the flow of HTTP headers when you use Basic authentication.

© 1997-1999 Microsoft Corporation. All rights reserved.