Basic Authentication

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The Basic authentication method is a widely used industry-standard method for collecting user name and password information. When you use Basic authentication, the browser displays a dialog box into which users are required to enter a previously assigned Windows account user name — which includes a Windows domain name, for example, Domain1\User1 — and password, which are also known as credentials. The browser then attempts to establish a connection to a server using the user's credentials. The plaintext password is Base64-encoded before it is sent over the network.

One advantage of Basic authentication is that it is part of the HTTP specification and is supported by most browsers. However, Base64 encoding is not encryption. Web browsers that use Basic authentication transmit passwords in an unencrypted form. If a Base64-encoded password is intercepted over the network by a network sniffer, unauthorized users can easily decode and reuse the password. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server has been secured, for example, with a dedicated line or an SSL connection. For more information about SSL, see SSL and Certificates.

If a user's credentials do not correspond to a valid Windows user account, Internet Explorer displays a dialog box into which the user re-enters his or her credentials. Internet Explorer — not IIS — allows the user three connection attempts before it terminates the connection and reports an error to the user. If a user's credentials correspond to a valid Windows user account, a connection is established.

Basic authentication does not automatically configure your Web server to authenticate users; to require authentication, you must also disable anonymous access. As a security best practice, you should create Windows user accounts with NTFS permissions correctly set. For step-by-step instructions for configuring Basic authentication, see Basic Authentication in IIS 6.0.

Logon Types

In IIS 6.0, the default logon type for Basic authentication (and Anonymous authentication) is NETWORK_CLEARTEXT. This is a change from earlier versions of IIS, in which the default logon type is INTERACTIVE. As a result of this change, when you use the default logon type for Basic authentication, users no longer need interactive logon rights. Basic authentication works with domain controllers, and the NETWORK and NETWORK_CLEARTEXT settings no longer require logon rights. Table 5.4 lists the logon types that are available for Basic authentication and Anonymous authentication.

Table 5.4 Logon Types for Basic Authentication and Anonymous Authentication

Logon Type LogonMethod Setting Logon Right Required Security Identifier (SID) Added to Access Token Outbound Credentials

NETWORK_ CLEARTEXT (default)

3 - MD_LOGON_NETWORK_ CLEARTEXT

Network

NT AUTHORITY\NETWORK_ CLEARTEXT

Yes

NETWORK

2 - MD_LOGON_NETWORK

Network

NT AUTHORITY\NETWORK

No

BATCH

1 - MD_LOGON_BATCH

Batch

NT AUTHORITY\BATCH

Yes

Interactive

0 - MD_LOGON_INTERACTIVE

Interactive

NT AUTHORITY\INTERACTIVE

Yes

For more information, see the LogonMethod Metabase Property.

Token Cache Security Considerations

When you use Basic authentication, user tokens are cached in the token cache. By default, tokens remain in the cache for 15 minutes. If you log on using Basic authentication with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer. There are several ways to help minimize this threat:

  • Do not log on, or allow anyone to log on, using Basic authentication with an account that has a high level of user logon rights.

  • Disable user token caching by setting the global registry entry, UserTokenTTL, to zero (0).

    Warning

    Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference.

  • Change UserTokenTTL to less than the default of 15 minutes. Note that time is expressed in seconds for this metabase property. For more information about the UserTokenTTL global registry entry, see Global Registry Entries.

Note

If you use Basic authentication and disable the token cache, IIS must log on for every request made — potentially thousands for a requested Web page. This will have a negative effect on performance. For more information, see Balancing Performance and Security.

For information about editing the registry, see the Registry Reference.