Get documents about "Using Internet Information Server And Microsoft 庐 Internet Explorer
Shared by: pengxuebo
-
Stats
- views:
- 0
- posted:
- 1/6/2013
- language:
- English
- pages:
- 27
Document Sample
Using Internet Information
Server And Microsoft Internet
®
Explorer To Implement Security
On The Intranet
HTTP
Agenda
Internet Explorer Security
Internet Information
Systems Security
Secure Case Studies
Questions?
The purpose of this talk is to provoke
thought and show you what is possible.
Basic Security Principles
Security covers:
Authentication
Access Control
Privacy
Data Integrity
Monitoring
Non-repudiation
Internet Explorer Security
Security Features of IE4
SSL
Zones
Java™ Sandbox
AuthentiCode™ 2.0
Cookie/<FORM> warnings
Secure Sockets Layer 3.0
SSL provides secure
communication between a client
and server by using:
Server and (optionally) client
certificates (authentication)
Symmetric key cryptography (bulk
encryption)
Public key cryptography
(transferring session keys)
Message Digests (integrity)
Internet Explorer 4.0
Uses SSL to provide support for
the HTTPS protocol
HTTP over SSL
Internet Explorer can store:
Certificate authority
root certificates
Client certificates
If a server requires a client
certificate and you have more
than one, IE will ask you which
one you want to use
Internet Explorer 4.0
Innovation: Security Zones
Goals: convenience, protection,
and manageability
Avoid multiple messages to user,
authorization fatigue
Protect against risk when browsing
untrusted sites
Administration support
Solution: security zones
Divide Web space into multiple security zones,
Administrator or user to set security policy
Security Zones Overview
Includes 4 default zones
Internet
Local Intranet
Trusted Web sites
Restricted sites
Sites can be added to existing
Zones
Simplified settings
High/Medium/Low
Custom settings allowed
Configuring Zones
Access to files, ActiveX™ Controls,
and scripts
The level of capabilities given
to Java applets
Whether sites must be identified
with SSL authentication
Form submission protection
Password protection
Capabilities-based security:
Increasing Java’s Horsepower Safely
Java Applet/Component sandboxing
Digital Signing of all components
Granular capabilities
Integration with Zones
Simplified user model:
Low trust: Applet-level capabilities; limited
scratch space
Medium Trust: user directed file I/O; printing
High Trust: Full read/write execute; full native
code access; flexibile net/subnet permissions
Using ActiveX controls
with Zones
For the web to be a viable
application platform, need
components with special access
Use zones to differentiate
capabilities
Differentiate between “Safe for
Scripting” and “Unsafe for
Scripting”
Authenticode 2.0
Second Generation code
authentication
Digital Signing
New support for Time stamping
New capabilities for certificate
revocation now enabled
Built in to IE 4.0
Internet Information
Server Security
WWW Service Security
Authentication
Anonymous
Basic
Password
authenticated
Windows NT®
user access
SSL 3.0
Client
Certificates
Custom
Authentication Models
Anonymous
Map onto IUSR_machinename account
Guest account
Basic
Base64 encoded password/username
NTLM
Uses Windows NT network
authentication
No password
IIS4 and SSL
IIS supports SSL
And hence HTTPS
IIS supports client authentication
certificates
client certificates can be used to
validate users and optionally map
them onto Windows NT accounts
SSL support in IIS is incredibly
flexible and granular
IIS Security Settings
Anonymous
No SSL
In-process
Internet
NTLM
No SSL
In-process
Intranet
Client Cert
SSL
In-process
Extranet
Anonymous
No SSL
Out-of-process
Internet
Anonymous
SSL
In-process
Secure Internet
NTLM
No SSL
In-process
Admin-Intranet
From Soup to Nuts
Some Examples
Each Example
Start with a base and consider:
Authentication
Access Control
Privacy
Data Integrity
Monitoring
Non-repudiation
Give report card on each!
A Simple Scenario
Intranet
Using Windows NT
Therefore using NTLM
authentication
Very secure authentication
Requires no extra work in
Internet Explorer
Set Requires Windows NT
Challenge Response in Internet
Information Server
A Simple Scenario
Report Card
Authentication (very good)
Access Control (very good, use
ACLs)
Privacy (poor)
Data Integrity (poor)
Monitoring (good, use Logging)
Non-repudiation (very poor)
A Simple Scenario
To strengthen the simple
scenario
Use SSL
Requires Server Certificate
New Report card
Privacy (very good to excellent)
Data Integrity (excellent)
An Internet Scenario
Various Clients
Using Firewall
Report Card
Authentication (poor to good)
Access Control (very good, use
ACLs)
Privacy (poor)
Data Integrity (poor)
Monitoring (good, use Logging)
Non-repudiation (very poor)
An Internet Scenario
To strengthen the simple
scenario
Use SSL
Requires Server Certificate
Use Basic auth over SSL
New Report card
Privacy (very good to excellent)
Data Integrity (excellent)
An Internet Scenario
To strengthen the scenario more
Require client certificates
New Report card
Privacy (very good to excellent)
Data Integrity (excellent)
Non-Repudiation (fair)
Overhead in issuing client certs
Great Extranet solution when
used with Certificate Server
Certificate Server 1.0
Creates x.509 v3 certificates
Internet Explorer
Internet Information Server
Outlook Express
Navigator
Enterprise Server
