Using Internet Information Using Internet Information Server And MicrosoftServer And Microsoft®® Internet Internet

Explorer To Implement Security Explorer To Implement Security On The IntranetOn The Intranet

HTTP

AgendaAgenda

Internet Explorer SecurityInternet Explorer Security Internet Information Internet Information

Systems SecuritySystems Security Secure Case StudiesSecure Case Studies Questions?Questions?

The purpose of this talk is to provoke thought and show you what is possible.

The purpose of this talk is to provoke thought and show you what is possible.

Basic Security PrinciplesBasic Security Principles

Security covers:Security covers: AuthenticationAuthentication Access ControlAccess Control PrivacyPrivacy Data IntegrityData Integrity Monitoring Monitoring Non-repudiationNon-repudiation

Internet Explorer SecurityInternet Explorer Security

Security Features of IE4Security Features of IE4

SSLSSL ZonesZones JavaJava™™ Sandbox Sandbox AuthentiCodeAuthentiCode™™ 2.0 2.0 Cookie/<FORM> warningsCookie/<FORM> warnings

Secure Sockets Layer 3.0Secure Sockets Layer 3.0

SSL provides secure SSL provides secure communication between a client communication between a client and server by using:and server by using: Server and (optionally) client Server and (optionally) client

certificates certificates (authentication)(authentication) Symmetric key cryptography Symmetric key cryptography (bulk (bulk

encryption)encryption) Public key cryptography Public key cryptography

(transferring session keys)(transferring session keys) Message Digests Message Digests (integrity)(integrity)

Internet Explorer 4.0Internet Explorer 4.0

Uses SSL to provide support for Uses SSL to provide support for the HTTPS protocolthe HTTPS protocol HTTP over SSLHTTP over SSL

Internet Explorer can store:Internet Explorer can store: Certificate authority Certificate authority

root certificatesroot certificates Client certificatesClient certificates

If a server requires a client If a server requires a client certificate and you have more certificate and you have more than one, IE will ask you which than one, IE will ask you which one you want to useone you want to use

Internet Explorer 4.0 Internet Explorer 4.0 Innovation: Security ZonesInnovation: Security Zones Goals: convenience, protection, Goals: convenience, protection,

and manageabilityand manageability Avoid multiple messages to user, Avoid multiple messages to user,

authorization fatigueauthorization fatigue Protect against risk when browsing Protect against risk when browsing

untrusted sitesuntrusted sites Administration supportAdministration support

Solution: security zonesSolution: security zones Divide Web space into multiple security zones,Divide Web space into multiple security zones, Administrator or user to set security policyAdministrator or user to set security policy

Security Zones OverviewSecurity Zones Overview

Includes 4 default zonesIncludes 4 default zones InternetInternet Local Intranet Local Intranet Trusted Web sitesTrusted Web sites Restricted sitesRestricted sites

Sites can be added to existing Sites can be added to existing ZonesZones

Simplified settingsSimplified settings High/Medium/LowHigh/Medium/Low

Custom settings allowedCustom settings allowed

Configuring ZonesConfiguring Zones

Access to files, ActiveXAccess to files, ActiveX™™ Controls, Controls, and scriptsand scripts

The level of capabilities given The level of capabilities given to to Java applets Java applets

Whether sites must be identified Whether sites must be identified with SSL authenticationwith SSL authentication

Form submission protectionForm submission protection Password protection Password protection

Capabilities-based security: Capabilities-based security: Increasing Java’s Horsepower SafelyIncreasing Java’s Horsepower Safely

Java Applet/Component sandboxingJava Applet/Component sandboxing Digital Signing of all componentsDigital Signing of all components Granular capabilitiesGranular capabilities Integration with ZonesIntegration with Zones Simplified user model:Simplified user model:

Low trust: Applet-level capabilities; limited Low trust: Applet-level capabilities; limited scratch spacescratch space

Medium Trust: user directed file I/O; printingMedium Trust: user directed file I/O; printing High Trust: Full read/write execute; full native High Trust: Full read/write execute; full native

code access; flexibile net/subnet permissionscode access; flexibile net/subnet permissions

Using ActiveX controls Using ActiveX controls with Zoneswith Zones

For the web to be a viable For the web to be a viable application platform, need application platform, need components with special accesscomponents with special access

Use zones to differentiate Use zones to differentiate capabilitiescapabilities

Differentiate between “Safe for Differentiate between “Safe for Scripting” and “Unsafe for Scripting” and “Unsafe for Scripting”Scripting”

Authenticode 2.0Authenticode 2.0

Second Generation code Second Generation code authenticationauthentication Digital SigningDigital Signing

New support for Time stampingNew support for Time stamping New capabilities for certificate New capabilities for certificate

revocation now enabledrevocation now enabled Built in to IE 4.0Built in to IE 4.0

Internet Information Internet Information Server SecurityServer Security

WWW Service SecurityWWW Service Security

AuthenticationAuthentication AnonymousAnonymous BasicBasic Password Password

authenticated authenticated Windows NTWindows NT®® user accessuser access

SSL 3.0SSL 3.0Client Client CertificatesCertificates

CustomCustom

Authentication ModelsAuthentication Models

AnonymousAnonymous Map onto IUSR_Map onto IUSR_machinenamemachinename account account Guest accountGuest account

BasicBasic Base64 encoded password/usernameBase64 encoded password/username

NTLMNTLM Uses Windows NT network Uses Windows NT network

authenticationauthentication No passwordNo password

IIS4 and SSLIIS4 and SSL IIS supports SSLIIS supports SSL

And hence HTTPSAnd hence HTTPS

IIS supports client authentication IIS supports client authentication certificatescertificates client certificates can be used to client certificates can be used to

validate users and optionally map validate users and optionally map them onto Windows NT accountsthem onto Windows NT accounts

SSL support in IIS is incredibly SSL support in IIS is incredibly flexible and granularflexible and granular

IIS Security SettingsIIS Security SettingsAnonymousNo SSLIn-processInternet

NTLMNo SSLIn-processIntranet

Client CertSSLIn-processExtranet Anonymous

No SSLOut-of-processInternet

AnonymousSSLIn-processSecure Internet

NTLMNo SSLIn-processAdmin-Intranet

From Soup to NutsFrom Soup to NutsSome ExamplesSome Examples

Each ExampleEach Example

Start with a base and consider:Start with a base and consider: AuthenticationAuthentication Access ControlAccess Control PrivacyPrivacy Data IntegrityData Integrity Monitoring Monitoring Non-repudiationNon-repudiation

Give report card on each!Give report card on each!

A Simple ScenarioA Simple Scenario

IntranetIntranet Using Windows NTUsing Windows NT

Therefore using NTLM Therefore using NTLM authenticationauthentication

Very secure authenticationVery secure authentication Requires no extra work in Requires no extra work in

Internet ExplorerInternet Explorer Set Set Requires Windows NT Requires Windows NT

Challenge ResponseChallenge Response in Internet in Internet Information ServerInformation Server

A Simple ScenarioA Simple Scenario

Report CardReport Card Authentication (very good)Authentication (very good) Access Control (very good, use Access Control (very good, use

ACLs)ACLs) Privacy (poor)Privacy (poor) Data Integrity (poor)Data Integrity (poor) Monitoring (good, use Logging)Monitoring (good, use Logging) Non-repudiation (very poor)Non-repudiation (very poor)

A Simple ScenarioA Simple Scenario

To strengthen the simple To strengthen the simple scenarioscenario Use SSLUse SSL Requires Server CertificateRequires Server Certificate

New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent)

An Internet ScenarioAn Internet Scenario

Various ClientsVarious Clients Using FirewallUsing Firewall Report CardReport Card

Authentication (poor to good)Authentication (poor to good) Access Control (very good, use Access Control (very good, use

ACLs)ACLs) Privacy (poor)Privacy (poor) Data Integrity (poor)Data Integrity (poor) Monitoring (good, use Logging)Monitoring (good, use Logging) Non-repudiation (very poor)Non-repudiation (very poor)

An Internet ScenarioAn Internet Scenario

To strengthen the simple To strengthen the simple scenarioscenario Use SSLUse SSL Requires Server CertificateRequires Server Certificate Use Basic auth over SSLUse Basic auth over SSL

New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent)

An Internet ScenarioAn Internet Scenario

To strengthen the scenario moreTo strengthen the scenario more Require client certificatesRequire client certificates

New Report cardNew Report card Privacy (very good to excellent)Privacy (very good to excellent) Data Integrity (excellent)Data Integrity (excellent) Non-Repudiation (fair)Non-Repudiation (fair)

Overhead in issuing client certsOverhead in issuing client certs Great Extranet solution when Great Extranet solution when

used with Certificate Serverused with Certificate Server

Certificate Server 1.0Certificate Server 1.0

Creates x.509 v3 certificatesCreates x.509 v3 certificates Internet ExplorerInternet Explorer Internet Information ServerInternet Information Server Outlook ExpressOutlook Express NavigatorNavigator Enterprise ServerEnterprise Server