IIS: Use SSL when you use Basic authentication

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

Basic authentication is enabled for configuration path '<ConfigurationPath>' but it lacks a required SSL binding.

         Example configuration path: MACHINE\WEBROOT\APPHOST\Default Web Site\My App

Impact

If you use Basic authentication without SSL, credentials will be sent in clear text that might be intercepted by malicious code.

Resolution

Use Basic authentication with an SSL binding, and make sure that the site or application is set to require SSL. Alternatively, use a different method of authentication.

If you want to continue using Basic authentication, you will need to check the site bindings to make sure that an HTTPS binding is available for the site, and then configure the site to require SSL. To do this by using IIS Manager, follow the steps in the next section. If you want to use another type of authentication, see the section "To use another type of authentication."

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To use Basic authentication with SSL

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In the Connections pane, expand the computer that you selected, then expand Sites.

  5. In the Connections pane, select the site that you want to configure.

  6. In the Actions pane, click Bindings. The Site Bindings dialog appears.

  7. If an HTTPS binding is visible, click Close and see the section "To require SSL" later on this page. If no HTTPS binding is visible, perform the following steps.

To add an HTTPS binding

  1. In the Site Bindings dialog, click Add. The Add Site Binding dialog appears.

  2. Under Type, select https.

  3. Under SSL certificate, select an SSL certificate.

  4. Click OK.

  5. Click Close.

To require SSL

  1. In Features View, double-click SSL Settings.

  2. On the SSL Settings page, select Require SSL.

  3. In the Actions pane, click Apply.

To use another type of authentication

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer you want to configure.

  4. In the Connections pane, expand the computer that you selected, then expand Sites.

  5. In the Connections pane, select the site that you want to configure.

  6. In Features View, double-click Authentication.

  7. On the Authentication page, select Basic Authentication.

  8. In the Actions pane, click Disable.

  9. On the Authentication page, select a different kind of authentication.

  10. In the Actions pane, click Enable.

Note

Anonymous authentication is selected by default.