About IIS Security

Microsoft Internet Information Server (IIS) has several built-in authentication mechanisms. These mechanisms protect access to information hosted by IIS. This chapter gives a basic overview of each authentication method and provides code samples showing how to write a client for each authentication method. Several authentication methods are available. Two pictures below depict available methods in IIS 5.0 and 4.0. The difference between the two is existence of the digest method in IIS 5.0.

Authentication choices for IIS 5.0.

Authentication choices for IIS 4.0.

A very short description of each method follows below.

• Anonymous. Every request is allowed access and is served in the security context of a special user account.
• Basic. Requests are subject to authentication. Passwords are transmitted in HTTP headers in clear text using base64 encoding. This schema is defined by HTTP/1.1 standard in RFC 2068.
• Digest. This authentication schema is defined by RFC 2069.
• Integrated Windows authentication (the same as Windows NT Challenge/Response). Before giving access to a socket IIS generates an 8 byte random challenge. Client encrypts the challenge using its password and sends back the result. IIS compares the result with the one obtained using the same algorithm and true user password. If the results match the client is allowed to use the socket.