Security: Digest authentication: stalled authentication Rule

  • ID:  Security__Digest_authentication__stalled_authentication_6_Rule
  • Description:   
  • Target:  IIS 2003 Web Server
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

Digest Authentication provides the same service as Basic authentication -- except it transmits hashes of the user's credentials, whereas Basic transmits plain text passwords over the wire. To use Digest Authentication, the Web server needs access to passwords in plain text, and it is supported only with a Windows 2000 domain controller.

Causes
This rule does not contain any causes.
Resolutions

To use Digest authentication, all the following conditions must be met:

  • All clients must use Microsoft Internet Explorer 5 or later.

  • An authenticating domain controller and the server that is running IIS must exist in a trusted environment.

  • Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows 2000 or later family.

  • The user must use a domain-level account that is turned on to store the password in reversible encryption.

  • If the domain controller is running Windows 2000, subauthentication must be enabled for Digest authentication to work because Digest authentication in Windows 2000 is implemented with subauthentication. Subauthentication, or IISSuba.dll, is automatically copied in the C:\Windows\System32 folder when you set up Windows 2000 and Windows Server 2003. By default, subauthentication is not installed in IIS 6.0.

  • If IIS 6.0 is in worker process isolation mode, an application pool that contains a program that is using Digest authentication must run with Local System as the identity. The application pool must run with Local System as the identity because a user password is not stored outside the hash value that the client sends to IIS, and a worker process that is associated with the program cannot impersonate the user by using the user name and the password.

Advanced Digest authentication is only available in Windows Server 2003. To use Advanced Digest authentication, all the following conditions must be met:

  • All clients must use Internet Explorer 5 or later.

  • Both the domain controller and the server that is running IIS must be using a member of the Microsoft Windows Server 2003 or later family.

  • The user must use a domain-level account.

The following are some advantages of Advanced Digest authentication over Digest authentication:

  • Advanced Digest authentication does not have to use IIS subauthentication because Advanced Digest authentication uses the Windows Security Support Provider Interface (SSPI) conventional implementation.

  • Advanced Digest authentication does not have to use reversible password encryption. With Digest authentication in Windows 2000, a user who is authenticated by using Digest authentication must have the password stored with the Store password using reversible encryption option flagged. However, in Windows Server 2003, the Active Directory extended schema properties make sure that every newly created user account automatically has the Advanced Digest authentication password hashed and stored as a field in the AltSecId property of the user object.

  • A worker process with a program that is using Advanced Digest authentication does not have to run with Local System as the identity because subauthentication is not required.

The default authentication method for an IIS 6.0 upgrade is Digest authentication, and the default authentication method for a new installation of IIS 6.0 is Advanced Digest authentication.

To verify the setting, examine the value for the UseDigestSSP metabase property on an IIS 6.0 server. This property is a switch between Digest and Advanced Digest SSPI code. To view this value:

cd c:\inetpub\adminscripts

cscript adsutil.vbs get w3svc/UseDigestSSP

Note If the property has not been added to an examined node, you receive the following message, and the default value that IIS sets applies:

The parameter "UseDigestSSP" is not set at this node.

  • Click Start, click Run, type cmd, and then click Run.

  • Change the folder. To do this, type the following, and then press ENTER: cd c:\inetpub\adminscripts

  • Query the IIS configuration, and then view the setting. To do this, type the following and then press ENTER: cscript adsutil.vbs get w3svc/UseDigestSSPA returned value of 0 indicates that Digest authentication is used. A returned value of 1 indicates that Advanced Digest authentication is used. Note If the property has not been added to an examined node, you receive the following message, and the default value that IIS sets applies: The parameter "UseDigestSSP" is not set at this node.

Internet Explorer can be a factor when you use Digest authentication. In versions of IIS that are earlier than 6.0, Digest authentication is listed after Basic authentication in the WWW Authenticate header when both authentication methods are enabled in IIS. Because Internet Explorer uses the first recognized authentication method, it uses Basic authentication instead of Digest authentication.

IIS 6.0 implements a ranking for each supported authentication. The authentication rankings in order are:

  • Integrated Windows authentication. NTLM authentication or Negotiate authentication.

  • Digest authentication. Digest authentication or Advanced Digest authentication.

  • Basic authentication.

Because Digest authentication is ranked higher, Digest authentication is listed before Basic authentication in the WWW Authenticate header in IIS 6.0, and Internet Explorer uses Digest authentication instead of Basic authentication when both are enabled in IIS 6.0.

Note The "Web site authentication" section of the IIS 6.0 Help file discusses configuration and operation details. If you have installed Windows Server 2003 with IIS 6.0, this Help file is available locally as Drive:\WinDir\Help\Iismmc.chm.

External References
This rule does not contain any external references.

See Also for Windows Internet Information Services Management Pack


Downloads for Windows Internet Information Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED