| Groups | Blog | Home |
iis security : How secure is Digest Mode compared to Integrated Authentication
authenication: Basic, Digest and Integrated Authentication. My requirements are that this works both on the Intranet and Internet. I would also prefer that the user enter only his short username and password (eg bsmith) rather than the long username and password (eg. bsmith@mydomane.com). So, I am limited to use of Basic and Digest. From a security perspective I know that Basic is not acceptable because it passes passwords in clear text. I will give it a security rating of 1 and wont use it. Integrated Authentication I will give a security rating of 9 but can't use it. What relative rating would you say that Digest is? What are the dangers of digest from a security perspective. Thanks for your opinions and/or knowledge. Jim 1. Basic --
Why don't you have two websites pointing to the same content on the
webserver. Both websites are identical in behavior except one is facing Internet and other is Intranet. Configure Integrated authentication on the Intranet facing website, and debate over the properly setting of the Internet-facing website. In other words, is your requirement that: a. users must authenticate with the same protocol over Intranet and Internet OR b users must authenticate with *some* protocol from the Intranet and Internet. These are two different types of requirements. One is a requirement for authenticated users. The other is a requirement for a certain authentication protocol. FYI: All authentication protocols have their advantages and disadvantages, and "one size fits all" approach rarely fits for any given protocol. If there was a protocol that works in all cases, why would multiple protocols remain??? For example, the spec for Digest Authentication makes clear its plus/minus in relation to Basic authentication -- in particular, read section 3 on bottom of page 12 through 15 for weakness in Digest. http://www.w3.org/Protocols/rfc2069/rfc2069 Short summary: - Digest is barely better than Basic in that it doesn't pass the username:password in cleartext but rather a hash of the username:password in cleartext. It still suffers all other security flaws of Basic (man-in-the-middle, replay, snooping, delegation, spoofing). - Integrated authentication auto-negotiates between two protocols, NTLM and Kerberos. Both protocols have strong defense against man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos can support delegation properly while NTLM cannot (hence NTLM has the well-known double-hop failure). //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com> [quoted text, click to view] wrote:
> While researching authentication on IIS I saw there were 3 options for > authenication: Basic, Digest and Integrated Authentication. > > My requirements are that this works both on the Intranet and Internet. I > would also prefer that the user enter only his short username and password > (eg bsmith) rather than the long username and password (eg. > bsm...@mydomane.com). So, I am limited to use of Basic and Digest. > > From a security perspective I know that Basic is not acceptable because it > passes passwords in clear text. I will give it a security rating of 1 and > wont use it. > > Integrated Authentication I will give a security rating of 9 but can't use it. > > What relative rating would you say that Digest is? What are the dangers of > digest from a security perspective. > > Thanks for your opinions and/or knowledge. > > Jim > > 1. Basic > > -- > Jim R
David,
Thank you for your summary statement and for your reference to the w3.org document which delineates the weaknesses of Digest mode. I will surely read that document. I think that your summary statement, however, will dictate that I not use Digest mode. In my situation, the actual secure documents are much less valuable than password integrity is. It won't ruin my organization if an outsider sees one of these "secure" documents but I don't want them to be able to get my users passwords. Thanks for being so knowledgeable on this stuff. -- Jim R [quoted text, click to view] "David Wang" wrote:
> Why don't you have two websites pointing to the same content on the > webserver. Both websites are identical in behavior except one is facing > Internet and other is Intranet. Configure Integrated authentication on > the Intranet facing website, and debate over the properly setting of > the Internet-facing website. > > In other words, is your requirement that: > a. users must authenticate with the same protocol over Intranet and > Internet OR > b users must authenticate with *some* protocol from the Intranet and > Internet. > > These are two different types of requirements. One is a requirement for > authenticated users. The other is a requirement for a certain > authentication protocol. > > FYI: All authentication protocols have their advantages and > disadvantages, and "one size fits all" approach rarely fits for any > given protocol. If there was a protocol that works in all cases, why > would multiple protocols remain??? > > For example, the spec for Digest Authentication makes clear its > plus/minus in relation to Basic authentication -- in particular, read > section 3 on bottom of page 12 through 15 for weakness in Digest. > http://www.w3.org/Protocols/rfc2069/rfc2069 > > Short summary: > - Digest is barely better than Basic in that it doesn't pass the > username:password in cleartext but rather a hash of the > username:password in cleartext. It still suffers all other security > flaws of Basic (man-in-the-middle, replay, snooping, delegation, > spoofing). > - Integrated authentication auto-negotiates between two protocols, NTLM > and Kerberos. Both protocols have strong defense against > man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos > can support delegation properly while NTLM cannot (hence NTLM has the > well-known double-hop failure). > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com> > wrote: > > While researching authentication on IIS I saw there were 3 options for > > authenication: Basic, Digest and Integrated Authentication. > > > > My requirements are that this works both on the Intranet and Internet. I > > would also prefer that the user enter only his short username and password > > (eg bsmith) rather than the long username and password (eg. > > bsm...@mydomane.com). So, I am limited to use of Basic and Digest. > > > > From a security perspective I know that Basic is not acceptable because it > > passes passwords in clear text. I will give it a security rating of 1 and > > wont use it. > > > > Integrated Authentication I will give a security rating of 9 but can't use it. > > > > What relative rating would you say that Digest is? What are the dangers of > > digest from a security perspective. > > > > Thanks for your opinions and/or knowledge. > > > > Jim > > > > 1. Basic > > > > -- > > Jim R >
Well, if your concern is to not lose user password, Digest can be
sufficient for that since it never passes the password over the network in any form. However, Digest is still weak against attacks like man-in-the-middle, replay, snooping, delegation, spoofing. In particular, a snooping/ replay attack can be just as damaging. It is unfortunate that the more secure authentication protocols require more investment in security setup/infrastructure to utilize, but that is the cost of establishing a chain of trust for machines, which humans implicitly create on their own. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jan 29, 7:53 am, K12-Jammer <K12Jam...@discussions.microsoft.com> [quoted text, click to view] wrote:
> David, > > Thank you for your summary statement and for your reference to the w3.org > document which delineates the weaknesses of Digest mode. I will surely read > that document. > > I think that your summary statement, however, will dictate that I not use > Digest mode. > > In my situation, the actual secure documents are much less valuable than > password integrity is. It won't ruin my organization if an outsider sees one > of these "secure" documents but I don't want them to be able to get my users > passwords. > > Thanks for being so knowledgeable on this stuff. > -- > Jim R > > > > "David Wang" wrote: > > Why don't you have two websites pointing to the same content on the > > webserver. Both websites are identical in behavior except one is facing > > Internet and other is Intranet. Configure Integrated authentication on > > the Intranet facing website, and debate over the properly setting of > > the Internet-facing website. > > > In other words, is your requirement that: > > a. users must authenticate with the same protocol over Intranet and > > Internet OR > > b users must authenticate with *some* protocol from the Intranet and > > Internet. > > > These are two different types of requirements. One is a requirement for > > authenticated users. The other is a requirement for a certain > > authentication protocol. > > > FYI: All authentication protocols have their advantages and > > disadvantages, and "one size fits all" approach rarely fits for any > > given protocol. If there was a protocol that works in all cases, why > > would multiple protocols remain??? > > > For example, the spec for Digest Authentication makes clear its > > plus/minus in relation to Basic authentication -- in particular, read > > section 3 on bottom of page 12 through 15 for weakness in Digest. > >http://www.w3.org/Protocols/rfc2069/rfc2069 > > > Short summary: > > - Digest is barely better than Basic in that it doesn't pass the > > username:password in cleartext but rather a hash of the > > username:password in cleartext. It still suffers all other security > > flaws of Basic (man-in-the-middle, replay, snooping, delegation, > > spoofing). > > - Integrated authentication auto-negotiates between two protocols, NTLM > > and Kerberos. Both protocols have strong defense against > > man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos > > can support delegation properly while NTLM cannot (hence NTLM has the > > well-known double-hop failure). > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com> > > wrote: > > > While researching authentication on IIS I saw there were 3 options for > > > authenication: Basic, Digest and Integrated Authentication. > > > > My requirements are that this works both on the Intranet and Internet. I > > > would also prefer that the user enter only his short username and password > > > (eg bsmith) rather than the long username and password (eg. > > > bsm...@mydomane.com). So, I am limited to use of Basic and Digest. > > > > From a security perspective I know that Basic is not acceptable because it > > > passes passwords in clear text. I will give it a security rating of 1 and > > > wont use it. > > > > Integrated Authentication I will give a security rating of 9 but can't use it. > > > > What relative rating would you say that Digest is? What are the dangers of > > > digest from a security perspective. > > > > Thanks for your opinions and/or knowledge. > > > > Jim > > > > 1. Basic > > > > -- > > > Jim R- Hide quoted text -- Show quoted text -
I agree that Integrated is the way to go. I believe that I could do this
using the metabase property DefaultLogonDomain but haven't been able to figure out how to actually do that. Documentation on editing the metabase seems hard to find and everytime I bring it up somewhere people ask about other things that don't seem relevant. So for now by boss is willing to go the route of specifying the domain manually by using the username@DOMAINNAME.COM method of user identification. Guess that isn't so bad. People will get used to it. Have a great day. -- Jim R [quoted text, click to view] "David Wang" wrote:
> Well, if your concern is to not lose user password, Digest can be > sufficient for that since it never passes the password over the > network in any form. > > However, Digest is still weak against attacks like man-in-the-middle, > replay, snooping, delegation, spoofing. In particular, a snooping/ > replay attack can be just as damaging. > > It is unfortunate that the more secure authentication protocols > require more investment in security setup/infrastructure to utilize, > but that is the cost of establishing a chain of trust for machines, > which humans implicitly create on their own. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > On Jan 29, 7:53 am, K12-Jammer <K12Jam...@discussions.microsoft.com> > wrote: > > David, > > > > Thank you for your summary statement and for your reference to the w3.org > > document which delineates the weaknesses of Digest mode. I will surely read > > that document. > > > > I think that your summary statement, however, will dictate that I not use > > Digest mode. > > > > In my situation, the actual secure documents are much less valuable than > > password integrity is. It won't ruin my organization if an outsider sees one > > of these "secure" documents but I don't want them to be able to get my users > > passwords. > > > > Thanks for being so knowledgeable on this stuff. > > -- > > Jim R > > > > > > > > "David Wang" wrote: > > > Why don't you have two websites pointing to the same content on the > > > webserver. Both websites are identical in behavior except one is facing > > > Internet and other is Intranet. Configure Integrated authentication on > > > the Intranet facing website, and debate over the properly setting of > > > the Internet-facing website. > > > > > In other words, is your requirement that: > > > a. users must authenticate with the same protocol over Intranet and > > > Internet OR > > > b users must authenticate with *some* protocol from the Intranet and > > > Internet. > > > > > These are two different types of requirements. One is a requirement for > > > authenticated users. The other is a requirement for a certain > > > authentication protocol. > > > > > FYI: All authentication protocols have their advantages and > > > disadvantages, and "one size fits all" approach rarely fits for any > > > given protocol. If there was a protocol that works in all cases, why > > > would multiple protocols remain??? > > > > > For example, the spec for Digest Authentication makes clear its > > > plus/minus in relation to Basic authentication -- in particular, read > > > section 3 on bottom of page 12 through 15 for weakness in Digest. > > >http://www.w3.org/Protocols/rfc2069/rfc2069 > > > > > Short summary: > > > - Digest is barely better than Basic in that it doesn't pass the > > > username:password in cleartext but rather a hash of the > > > username:password in cleartext. It still suffers all other security > > > flaws of Basic (man-in-the-middle, replay, snooping, delegation, > > > spoofing). > > > - Integrated authentication auto-negotiates between two protocols, NTLM > > > and Kerberos. Both protocols have strong defense against > > > man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos > > > can support delegation properly while NTLM cannot (hence NTLM has the > > > well-known double-hop failure). > > > > > //David > > >http://w3-4u.blogspot.com > > >http://blogs.msdn.com/David.Wang > > > // > > > > > On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com> > > > wrote: > > > > While researching authentication on IIS I saw there were 3 options for > > > > authenication: Basic, Digest and Integrated Authentication. > > > > > > My requirements are that this works both on the Intranet and Internet. I > > > > would also prefer that the user enter only his short username and password > > > > (eg bsmith) rather than the long username and password (eg. > > > > bsm...@mydomane.com). So, I am limited to use of Basic and Digest. > > > > > > From a security perspective I know that Basic is not acceptable because it > > > > passes passwords in clear text. I will give it a security rating of 1 and > > > > wont use it. > > > > > > Integrated Authentication I will give a security rating of 9 but can't use it. > > > > > > What relative rating would you say that Digest is? What are the dangers of > > > > digest from a security perspective. > > > > > > Thanks for your opinions and/or knowledge. > > > > > > Jim > > > > > > 1. Basic > > > > > > -- > > > > Jim R- Hide quoted text -- Show quoted text - >
Secure authentication protocols like Integrated does not support
DefaultLogonDomain. Why? Because the protocol never passes username/ password to IIS, meaning IIS cannot choose the DefaultLogonDomain to logon the username. Editing the metabase, like the Registry, is not meant for most users. ONe will need at least the following info: - built-in tools like ADSUTIL.VBS ( http://msdn.microsoft.com/library/ default.asp?url=/library/en-us/iissdk/html/5e7f8cde-4a01-42bd-acaf- f8f7d091ef7c.asp ) - tools like MBExplorer which makes editing the metabase easy ( http:// www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73- b628-ade629c89499&DisplayLang=en ) - documentation on MSDN detailing what every property means ( http:// msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/ bb9c0d25-d003-4ddd-8adb-8662de0a24ee.asp ) I believe making users specify username@domain.com is pretty reasonable, especially if it also corresponds to their email address. I believe that getting used to specifying one's domain is critical -- how else do you distinguish between all the Davids in the world if they all got used to logging in with their name on all the systems in the world? We live in a connected, global society. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jan 30, 5:08 am, K12-Jammer <K12Jam...@discussions.microsoft.com> [quoted text, click to view] wrote: > I agree that Integrated is the way to go. I believe that I could do this > using the metabase property DefaultLogonDomain but haven't been able to > figure out how to actually do that. Documentation on editing the metabase > seems hard to find and everytime I bring it up somewhere people ask about > other things that don't seem relevant. > > So for now by boss is willing to go the route of specifying the domain > manually by using the usern...@DOMAINNAME.COM method of user identification. > Guess that isn't so bad. People will get used to it. > > Have a great day. > > -- > Jim R > > > > "David Wang" wrote: > > Well, if your concern is to not lose user password, Digest can be > > sufficient for that since it never passes the password over the > > network in any form. > > > However, Digest is still weak against attacks like man-in-the-middle, > > replay, snooping, delegation, spoofing. In particular, a snooping/ > > replay attack can be just as damaging. > > > It is unfortunate that the more secure authentication protocols > > require more investment in security setup/infrastructure to utilize, > > but that is the cost of establishing a chain of trust for machines, > > which humans implicitly create on their own. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On Jan 29, 7:53 am, K12-Jammer <K12Jam...@discussions.microsoft.com> > > wrote: > > > David, > > > > Thank you for your summary statement and for your reference to the w3.org > > > document which delineates the weaknesses of Digest mode. I will surely read > > > that document. > > > > I think that your summary statement, however, will dictate that I not use > > > Digest mode. > > > > In my situation, the actual secure documents are much less valuable than > > > password integrity is. It won't ruin my organization if an outsider sees one > > > of these "secure" documents but I don't want them to be able to get my users > > > passwords. > > > > Thanks for being so knowledgeable on this stuff. > > > -- > > > Jim R > > > > "David Wang" wrote: > > > > Why don't you have two websites pointing to the same content on the > > > > webserver. Both websites are identical in behavior except one is facing > > > > Internet and other is Intranet. Configure Integrated authentication on > > > > the Intranet facing website, and debate over the properly setting of > > > > the Internet-facing website. > > > > > In other words, is your requirement that: > > > > a. users must authenticate with the same protocol over Intranet and > > > > Internet OR > > > > b users must authenticate with *some* protocol from the Intranet and > > > > Internet. > > > > > These are two different types of requirements. One is a requirement for > > > > authenticated users. The other is a requirement for a certain > > > > authentication protocol. > > > > > FYI: All authentication protocols have their advantages and > > > > disadvantages, and "one size fits all" approach rarely fits for any > > > > given protocol. If there was a protocol that works in all cases, why > > > > would multiple protocols remain??? > > > > > For example, the spec for Digest Authentication makes clear its > > > > plus/minus in relation to Basic authentication -- in particular, read > > > > section 3 on bottom of page 12 through 15 for weakness in Digest. > > > >http://www.w3.org/Protocols/rfc2069/rfc2069 > > > > > Short summary: > > > > - Digest is barely better than Basic in that it doesn't pass the > > > > username:password in cleartext but rather a hash of the > > > > username:password in cleartext. It still suffers all other security > > > > flaws of Basic (man-in-the-middle, replay, snooping, delegation, > > > > spoofing). > > > > - Integrated authentication auto-negotiates between two protocols, NTLM > > > > and Kerberos. Both protocols have strong defense against > > > > man-in-the-middle, replay, snooping, and spoofing attacks, and Kerberos > > > > can support delegation properly while NTLM cannot (hence NTLM has the > > > > well-known double-hop failure). > > > > > //David > > > >http://w3-4u.blogspot.com > > > >http://blogs.msdn.com/David.Wang > > > > // > > > > > On Jan 25, 12:26 pm, K12-Jammer <K12Jam...@discussions.microsoft.com> > > > > wrote: > > > > > While researching authentication on IIS I saw there were 3 options for > > > > > authenication: Basic, Digest and Integrated Authentication. > > > > > > My requirements are that this works both on the Intranet and Internet. I > > > > > would also prefer that the user enter only his short username and password > > > > > (eg bsmith) rather than the long username and password (eg. > > > > > bsm...@mydomane.com). So, I am limited to use of Basic and Digest. > > > > > > From a security perspective I know that Basic is not acceptable because it > > > > > passes passwords in clear text. I will give it a security rating of 1 and > > > > > wont use it. > > > > > > Integrated Authentication I will give a security rating of 9 but can't use it. > > > > > > What relative rating would you say that Digest is? What are the dangers of > > > > > digest from a security perspective. > > > > > > Thanks for your opinions and/or knowledge. > > > > > > Jim > > > > > > 1. Basic > > > > > > -- > > > > > Jim R- Hide quoted text -- Show quoted text -- Hide quoted text - > > - Show quoted text -
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |