Secure Access to Web Site Resources
You can use the Internet Information Services console to provide granular security for your Web sites. You can configure security for an entire site as well as for individual folders and files in a site. You can set general security for a Web site and then add other security requirements for specific folders and files in the site. Internet Information Services provides the following methods for controlling access to Web site resources:
IP addresses and domain names
Certificate mapping to user accounts
In addition, Internet Information Services uses access control lists (ACLs) to control access to Web resources that are installed on NTFS file systems.
When Internet Information Services is configured for anonymous access, the server logs on each Web user with an anonymous guest account, which can be any valid Windows 2000 user account. Windows 2000 Server provides a built-in local account for anonymous access: IUSR_ Server (where Server is the name of the server computer on which Internet Information Services is installed). Internet Information Services provides a default set of user rights and permissions for anonymous-access Web sites. For example, by default, the IUSR_ Server account allows general users read permission for most Web site resources. However, administrators and the system have full control of Web site resources. Instead of using the IUSR_ Server account, you can select another user account for use by anonymous-access users if you want.
When anonymous access is enabled, users can usually log on and request Web resources without having to enter their user name and password. However, if the resources that they are requesting have NTFS ACL restrictions, they are required to submit their user name and password before being granted access to the resources. Anonymous access is generally suitable for Web sites that contain information for public consumption, but not for Web sites that contain proprietary or confidential information.
When Internet Information Services is configured for authenticated access, a user must enter a valid Windows user account name and password to gain access to the Web resources that he or she has requested. Authentication options determine whether a user's password is sent over the network as plaintext, as a message digest or as ciphertext. Authenticated access is appropriate generally for providing low-level security on Web sites, but secure SSL and TLS channels and certificate mapping provide much stronger security.
IP Addresses and Domain Names
You can list IP addresses and domain names to grant access to selected Web resources or to deny access to selected Web resources by listing individual computers or groups of computers on the basis of subnet address or domain names. However, extensive use of domain names can slow Web performance because of time-consuming Domain Name System (DNS) lookups. Controlling Web access through IP addresses and domain names also provides only weak security because attackers can easily forge the originating IP address and domain name information to gain access to your Web site. Security is weakened further if you grant Web site access to the IP addresses or domain names for proxy services because, in this situation, you have extended access to all clients who connect to your Web site through these proxy services.
Certificate Mapping to User Accounts
You can map certificates to Windows 2000 user accounts to control access to selected Web resources. Certificate mapping provides for strong security that is based on the Web client ownership of a valid authentication certificate. When certificate mapping is enabled, Internet Information Services authenticates users on the basis of mapped certificates, and it grants rights and permissions that are based on the mapped user account. Certificate mapping can be one-to-one or many-to-one.
One-to-One Certificate Mapping For one-to-one certificate mapping, you map individual certificates to the corresponding Windows 2000 user accounts for the owners of the certificates. Internet Information Services authenticates users with the listed certificates and grants rights and permissions that are based on the user account information. One-to-one mapping works only for clients with Windows 2000 user accounts.
Many-to-One Certificate Mapping For many-to-one certificate mapping, you create rules that define the certificate criteria for mapping. Mapping rules check the information that is contained in users' certificates, such as the user's organization and the issuing CA, to determine whether the information matches the criteria in the rules. When the information in users' certificates match the rules, users are usually mapped to a particular user account that you specify. With many-to-one mapping, a user's rights and permissions for Web site resources are controlled on the basis of the rights and permissions of the mapped user account. You can also configure Internet Information Services to refuse Web access to users with certificates that match the mapping rules. You can use many-to-one certificate mapping to control access for any Web client that owns a valid authentication certificate. For example, you might use many-to-one mapping to grant access to Web resources on an extranet on the basis of Web client ownership of a specific type of certificate that has been issued by a specific commercial CA or a business partner's CA.
Administering one-to-one mapping manually requires more administrative effort than administering many-to-one mapping. Therefore, if you use one-to-one mapping for large numbers of clients, consider developing custom Active Server Pages Web enrollment pages to automate the mapping process. For more information about developing custom enrollment Web pages that map certificates automatically, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .
In addition, consider using many-to-one mapping to control Web site access when it is feasible to do so. Use one-to-one mapping as necessary to control Web site access when you have a relatively small number of clients. For example, you might use one-to-one mapping to grant Web site access to several administrators and then use many-to-one mapping to grant Web site access to a large number of employees from your organization, selected consultants, and selected employees of business partners.
You can use separate many-to-one certificate mappings for each group to which you want to grant Web site access. You can configure user accounts that grant different sets of rights and permissions on the basis of clients' ownership of valid certificates that match the mapping rules. For example, you can map your employees to a user account that grants them full read access to the Web site, but map consultants and employees of business partners to other accounts that allow access only to nonconfidential information and selected proprietary information.
NTFS Access Control Lists
NTFS ACLs extend the granular security that is available for Web sites. When Web sites are installed on NTFS file systems, user rights and access permissions for Web resources are controlled by file system ACLs. You can configure these lists to control access to individual Web sites, folders, or files. You can use Windows Explorer to grant rights and permissions for user accounts and security groups. When folders and files have ACL restrictions, Internet Information Services prompts users to enter their Windows 2000 user names and passwords for authenticated access, even when anonymous access is enabled for the requested resource. Because this security is not available for file allocation table (FAT) or FAT32 file systems, consider using NTFS for all of your Web sites to provide the additional security benefits of NTFS file and folder security.