Re: IIS 6 Integrated Security....risks??

From: "Roberto López" <rlopez@xxxxxxxxxxxxxxxx>
Date: Fri, 30 Nov 2007 18:20:16 +0100

Thanks a lot for your comments.
I have learned a lot with this post.

"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
news:O%23ySUfvMIHA.484@xxxxxxxxxxxxxxxxxxxxxxx

"Roberto López" <rlopez@xxxxxxxxxxxxxxxx> wrote in message
news:O%23GrfGoMIHA.4480@xxxxxxxxxxxxxxxxxxxxxxx

"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> escribió en el mensaje
news:OE0nqFjMIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx

"Roberto López" <rlopez@xxxxxxxxxxxxxxxx> wrote in message
news:uqen02bMIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx

Hello,
My first concern is to ensure that the domain server and all data on

is

sure.

Integrated Windows Authentication does not secure your server, or the
data
on it.

And the user names and passwords are secured.

Windows already stores usernames and passwords securely. You need to

protect

these "in transit", and also to ensure that user's do not disclose them
to
others

But, with Integrated Windows Autentication the user name and password,

far as I know, are sent encrypted?

Hi,

With NTLM authentication, the password is hashed using the NTLM v2
mechanism.

With Kerberos Authentication, the client sends an authenticator and

service

ticket. The username is not encypted, but the password is never

transmitted

to the server in question (as the trusted third party - the KDC/Domain
Controller - knows all the passwords).

Cheers
Ken

References:
- IIS 6 Integrated Security....risks??
  - From: Roberto López
- Re: IIS 6 Integrated Security....risks??
  - From: David Wang
- Re: IIS 6 Integrated Security....risks??
  - From: Ken Schaefer
- Re: IIS 6 Integrated Security....risks??
  - From: Roberto López
- Re: IIS 6 Integrated Security....risks??
  - From: Ken Schaefer

Prev by Date: Re: Requiring Logon
Next by Date: Re: IUSR_myserver and deny write
Previous by thread: Re: IIS 6 Integrated Security....risks??
Next by thread: Re: IUSR_myserver and deny write
Index(es):
- Date
- Thread

Relevant Pages

Re: IIS 6 Integrated Security....risks??
... Integrated Windows Authentication does not secure your server, ... Windows already stores usernames and passwords securely. ... you need a single authentication store - something like Active ...
(microsoft.public.inetserver.iis.security)
Re: Integrated Windows Authentication
... Basic Auth sends passwords in clear text, integrated sends them hashed. ... I have a website in IIS with only Integrated Windows ... Authentication enabled and not anonymous or Basic Authentication ...
(microsoft.public.dotnet.framework.aspnet.security)
Forms and integrated authentication combined
... I know how to use both Forms and Integrated Windows authentication. ... both of them have a critical problem, ... the same password as their NT account, meaning passwords would be stored in ... I want to leave "Anonymous access" and "Integrated Windows ...
(microsoft.public.dotnet.framework.aspnet)
Forms and integrated authentication combined
... I know how to use both Forms and Integrated Windows authentication. ... both of them have a critical problem, ... the same password as their NT account, meaning passwords would be stored in ... I want to leave "Anonymous access" and "Integrated Windows ...
(microsoft.public.dotnet.framework.aspnet)
Re: Windows Authentication problem with IIS6 (Win2k3)
... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
(microsoft.public.inetserver.iis)