Administering Security with Office Server Extensions

Using Internet Information Server Authentication

All users are authenticated when they attempt to gain access to the Web sites, folders, and files on your Web server. You configure the authentication methods available to users with Microsoft Internet Information Server (IIS) administration tools.

Types of authentication

IIS supports the following types of authentication:

• Anonymous

  Anonymous access allows users to log on to a server without having a Microsoft Windows NT account. Users do not have to enter a user name and password. All Web browsers support anonymous access.

• Basic

  Basic authentication requires all users to have a Windows NT account to log on to a server. Users must enter a user name and password. Most Web browsers support Basic authentication.

• Windows NT Challenge/Response

  By using Windows NT Challenge/Response authentication, the Web browser automatically passes on the encrypted user name and password for a Windows NT account. Users do not have to enter a user name and password when they log on to a server. Only Microsoft Internet Explorer supports Windows NT Challenge/Response authentication.

Anonymous

Anonymous access lets users who do not have Windows NT accounts connect to the server and use server resources. This type of access reduces the amount of time you spend managing accounts, and you do not have to identify the users who log on to your Web server.

During Setup, IIS creates a special anonymous account named IUSR_computer_name for Web services. By default, all Web client requests use this anonymous account to gain access to Web content.

When IIS receives an anonymous request to log on to a server or access a resource, it impersonates the IUSR_computer_name account. The request succeeds when the IUSR_computer_name account has permission to log on to the server, or use the requested resource. IIS stores resource access permission information in the resource access control lists (ACLs). When access is denied, the server prompts the user to enter a valid Windows NT user name and password.

Note   If you want to provide both restricted and unrestricted access areas on your server, you can enable both authenticated and anonymous logon methods at the same time. A user who wants to access the restricted areas of the server needs to provide a user name and password, while any user can access the areas that allow anonymous access.

Basic authentication

When you use Basic authentication, a client application such as the Web browser prompts a user for a Windows NT user name and password. Then the browser passes the user information through HTTP in encoded text for IIS to use for Basic authentication.

Basic authentication is fast, and when you use it with Secure Sockets Layer (SSL), you also have secure authentication because SSL encrypts the transmission. If you use Basic authentication without SSL, however, the user name and password are passed in clear, unencoded text, thereby compromising the security of the transmission.

With Basic authentication, a user must have the Log On Locally right on the IIS server. You use the Windows NT User Manager for Domains application to grant a user the Log On Locally right.

Note   A user who has the Log On Locally right can start an interactive session on the Windows NT or Windows 2000 server.

In the following situations, Basic authentication is the best option for providing access to your Web server:

• When your Web site must be accessible from Web browsers other than Internet Explorer.
• When users connect to your Web server over the Internet through a proxy server or firewall.

Windows NT Challenge/Response authentication

Windows NT Challenge/Response (also called NTLM) is a more secure authentication method than Basic authentication. A user is authenticated when the user first logs on to the network. When the same user then logs on to the Web server, a client application such as the Web browser uses the credentials from the network logon. If those credentials are not valid, Windows NT Challenge/Response authentication requests a valid user name and password.

Windows NT Challenge/Response authentication provides the following advantages over other types of authentication:

• Users logged on to a Windows NT domain do not need to be authenticated again to access another computer in the same Windows NT domain.
• User names and passwords are securely encrypted in transactions between clients and the Web server, which prevents network eavesdroppers from monitoring network traffic to break into the system.

Windows NT Challenge/Response authentication has the following limitations:

• Windows NT Challenge/Response authentication is designed for use on an intranet, and it does not function through a firewall or proxy server. If your network is protected by a firewall, you must use Basic authentication.
• Windows NT Challenge/Response authentication is only supported by Internet Explorer. You cannot use this type of authentication with any other Web browsers.
• Windows NT Challenge/Response authentication does not support delegation to secondary servers. For example, when a request comes in to IIS, the user credentials cannot be passed to a remote computer running Microsoft SQL Server.

Tip   You can configure IIS with both Basic authentication and Windows NT Challenge/Response authentication enabled. If a user’s Web browser supports Windows NT Challenge/Response authentication, IIS uses that authentication method. Otherwise, IIS defaults to Basic authentication.

Top

Authenticating HTTP requests

When IIS receives an HTTP request from a Web browser, a Microsoft Office 2000 application, or another client, IIS processes the request in the following sequence:

1. Tries the anonymous account, IUSR_computer_name.
2. Uses Basic authentication or Windows NT Challenge/Response authentication to authenticate a user.
3. Allows access to the file on the Web server. If the file is located on an NTFS volume, IIS allows access only when the authenticated account is on the ACL of the file and the folder in which the file is located.

Top

Using IP address or domain name to restrict access

You can use an IP address or domain name to control which computers connect to your Web site. Each client computer on an intranet or the Internet has an IP address, and in IIS you can create lists of IP addresses and domain names to grant or deny access to specific computers. You can configure the access restrictions at the Web site, folder, virtual directory, and file levels.

Top

Using Secure Sockets Layer

Secure Sockets Layer is a protocol that provides communications privacy, authentication, and message integrity for TCP/IP connections. By using the SSL protocol, clients and servers can communicate with almost no possibility of eavesdropping, tampering, or message forgery. SSL is typically used with Basic authentication to encrypt user name and password transmissions.

SSL ensures secure communication through a firewall, and it also provides security for remote administration of a Web server. You can specify that Office 2000 applications and Internet Explorer use SSL to open or publish documents on an OSE-extended web.

• In Internet Explorer version 4.0, you specify SSL use on the Advanced tab of the Internet Options dialog box (View menu).
• In Office 2000 applications, you enable SSL when you create a Web folder shortcut.

In IIS, you must install a security certificate to use SSL. Use the Key Manager utility included with IIS to obtain a certificate that is a collection of encoded data identifying the server.

Top

Using authentication with delegation applications

A delegation application passes on part of the Web server work to a secondary server application running on a different computer. For example, a Web server acting as a delegation application can use a database server running on a different host computer.

The various types of authentication handle delegation applications differently. If you use Basic authentication, a user logs on locally, and Windows NT security allows the secondary server to honor the user credentials.

However, if you use Windows NT Challenge/Response authentication, a secondary computer does not honor user credentials. In this case, both the secondary server and Web server must be running on the same host computer.

Top

See also

IIS provides considerable flexibility for secure access to your Web server. For more information about authentication methods, obtaining a security certificate, or using IP addresses and domain names to restrict access, see the online Help for IIS.