using internet information server and microsoft ® internet explorer to implement security on the...
Post on 21-Dec-2015
217 views
TRANSCRIPT
Using Internet Information Using Internet Information Server And MicrosoftServer And Microsoft®® Internet Internet
Explorer To Implement Security Explorer To Implement Security On The IntranetOn The Intranet
HTTP
AgendaAgenda
Internet Explorer SecurityInternet Explorer Security Internet Information Internet Information
Systems SecuritySystems Security Secure Case StudiesSecure Case Studies Questions?Questions?
The purpose of this talk is to provoke thought and show you what is possible.
The purpose of this talk is to provoke thought and show you what is possible.
Basic Security PrinciplesBasic Security Principles
Security covers:Security covers: AuthenticationAuthentication Access ControlAccess Control PrivacyPrivacy Data IntegrityData Integrity Monitoring Monitoring Non-repudiationNon-repudiation
Security Features of IE4Security Features of IE4
SSLSSL ZonesZones JavaJava™™ Sandbox Sandbox AuthentiCodeAuthentiCode™™ 2.0 2.0 Cookie/<FORM> warningsCookie/<FORM> warnings
Secure Sockets Layer 3.0Secure Sockets Layer 3.0
SSL provides secure SSL provides secure communication between a client communication between a client and server by using:and server by using: Server and (optionally) client Server and (optionally) client
certificates certificates (authentication)(authentication) Symmetric key cryptography Symmetric key cryptography (bulk (bulk
encryption)encryption) Public key cryptography Public key cryptography
(transferring session keys)(transferring session keys) Message Digests Message Digests (integrity)(integrity)
Internet Explorer 4.0Internet Explorer 4.0
Uses SSL to provide support for Uses SSL to provide support for the HTTPS protocolthe HTTPS protocol HTTP over SSLHTTP over SSL
Internet Explorer can store:Internet Explorer can store: Certificate authority Certificate authority
root certificatesroot certificates Client certificatesClient certificates
If a server requires a client If a server requires a client certificate and you have more certificate and you have more than one, IE will ask you which than one, IE will ask you which one you want to useone you want to use
Internet Explorer 4.0 Internet Explorer 4.0 Innovation: Security ZonesInnovation: Security Zones Goals: convenience, protection, Goals: convenience, protection,
and manageabilityand manageability Avoid multiple messages to user, Avoid multiple messages to user,
authorization fatigueauthorization fatigue Protect against risk when browsing Protect against risk when browsing
untrusted sitesuntrusted sites Administration supportAdministration support
Solution: security zonesSolution: security zones Divide Web space into multiple security zones,Divide Web space into multiple security zones, Administrator or user to set security policyAdministrator or user to set security policy
Security Zones OverviewSecurity Zones Overview
Includes 4 default zonesIncludes 4 default zones InternetInternet Local Intranet Local Intranet Trusted Web sitesTrusted Web sites Restricted sitesRestricted sites
Sites can be added to existing Sites can be added to existing ZonesZones
Simplified settingsSimplified settings High/Medium/LowHigh/Medium/Low
Custom settings allowedCustom settings allowed
Configuring ZonesConfiguring Zones
Access to files, ActiveXAccess to files, ActiveX™™ Controls, Controls, and scriptsand scripts
The level of capabilities given The level of capabilities given to to Java applets Java applets
Whether sites must be identified Whether sites must be identified with SSL authenticationwith SSL authentication
Form submission protectionForm submission protection Password protection Password protection
Capabilities-based security: Capabilities-based security: Increasing Java’s Horsepower SafelyIncreasing Java’s Horsepower Safely
Java Applet/Component sandboxingJava Applet/Component sandboxing Digital Signing of all componentsDigital Signing of all components Granular capabilitiesGranular capabilities Integration with ZonesIntegration with Zones Simplified user model:Simplified user model:
Low trust: Applet-level capabilities; limited Low trust: Applet-level capabilities; limited scratch spacescratch space
Medium Trust: user directed file I/O; printingMedium Trust: user directed file I/O; printing High Trust: Full read/write execute; full native High Trust: Full read/write execute; full native
code access; flexibile net/subnet permissionscode access; flexibile net/subnet permissions
Using ActiveX controls Using ActiveX controls with Zoneswith Zones
For the web to be a viable For the web to be a viable application platform, need application platform, need components with special accesscomponents with special access
Use zones to differentiate Use zones to differentiate capabilitiescapabilities
Differentiate between “Safe for Differentiate between “Safe for Scripting” and “Unsafe for Scripting” and “Unsafe for Scripting”Scripting”
Authenticode 2.0Authenticode 2.0
Second Generation code Second Generation code authenticationauthentication Digital SigningDigital Signing
New support for Time stampingNew support for Time stamping New capabilities for certificate New capabilities for certificate
revocation now enabledrevocation now enabled Built in to IE 4.0Built in to IE 4.0
WWW Service SecurityWWW Service Security
AuthenticationAuthentication AnonymousAnonymous BasicBasic Password Password
authenticated authenticated Windows NTWindows NT®® user accessuser access
SSL 3.0SSL 3.0Client Client CertificatesCertificates
CustomCustom
Authentication ModelsAuthentication Models
AnonymousAnonymous Map onto IUSR_Map onto IUSR_machinenamemachinename account account Guest accountGuest account
BasicBasic Base64 encoded password/usernameBase64 encoded password/username
NTLMNTLM Uses Windows NT network Uses Windows NT network
authenticationauthentication No passwordNo password
IIS4 and SSLIIS4 and SSL IIS supports SSLIIS supports SSL
And hence HTTPSAnd hence HTTPS
IIS supports client authentication IIS supports client authentication certificatescertificates client certificates can be used to client certificates can be used to
validate users and optionally map validate users and optionally map them onto Windows NT accountsthem onto Windows NT accounts
SSL support in IIS is incredibly SSL support in IIS is incredibly flexible and granularflexible and granular
IIS Security SettingsIIS Security SettingsAnonymousNo SSLIn-processInternet
NTLMNo SSLIn-processIntranet
Client CertSSLIn-processExtranet Anonymous
No SSLOut-of-processInternet
AnonymousSSLIn-processSecure Internet
NTLMNo SSLIn-processAdmin-Intranet
Each ExampleEach Example
Start with a base and consider:Start with a base and consider: AuthenticationAuthentication Access ControlAccess Control PrivacyPrivacy Data IntegrityData Integrity Monitoring Monitoring Non-repudiationNon-repudiation
Give report card on each!Give report card on each!
A Simple ScenarioA Simple Scenario
IntranetIntranet Using Windows NTUsing Windows NT
Therefore using NTLM Therefore using NTLM authenticationauthentication
Very secure authenticationVery secure authentication Requires no extra work in Requires no extra work in
Internet ExplorerInternet Explorer Set Set Requires Windows NT Requires Windows NT
Challenge ResponseChallenge Response in Internet in Internet Information ServerInformation Server
A Simple ScenarioA Simple Scenario
Report CardReport Card Authentication (very good)Authentication (very good) Access Control (very good, use Access Control (very good, use
ACLs)ACLs) Privacy (poor)Privacy (poor) Data Integrity (poor)Data Integrity (poor) Monitoring (good, use Logging)Monitoring (good, use Logging) Non-repudiation (very poor)Non-repudiation (very poor)
A Simple ScenarioA Simple Scenario
To strengthen the simple To strengthen the simple scenarioscenario Use SSLUse SSL Requires Server CertificateRequires Server Certificate
New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent)
An Internet ScenarioAn Internet Scenario
Various ClientsVarious Clients Using FirewallUsing Firewall Report CardReport Card
Authentication (poor to good)Authentication (poor to good) Access Control (very good, use Access Control (very good, use
ACLs)ACLs) Privacy (poor)Privacy (poor) Data Integrity (poor)Data Integrity (poor) Monitoring (good, use Logging)Monitoring (good, use Logging) Non-repudiation (very poor)Non-repudiation (very poor)
An Internet ScenarioAn Internet Scenario
To strengthen the simple To strengthen the simple scenarioscenario Use SSLUse SSL Requires Server CertificateRequires Server Certificate Use Basic auth over SSLUse Basic auth over SSL
New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent)
An Internet ScenarioAn Internet Scenario
To strengthen the scenario moreTo strengthen the scenario more Require client certificatesRequire client certificates
New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent) Non-Repudiation (fair)Non-Repudiation (fair)
Overhead in issuing client certsOverhead in issuing client certs Great Extranet solution when Great Extranet solution when
used with Certificate Serverused with Certificate Server