|
| |
Key Management Service
back to top
Digital signatures uniquely
identify the transmitted package as originating from the party possessing the
key that goes with the public key. Signatures are validated by a trusted
certificate authority that vouches for its authenticity.
The certificate contains the public
key of the key holder, the date of expiration and detailed information
about the holder of the key. The certificate can also be associated with
extensible set of data fields much like the ACL's associated with NTFS security
permissions. They specify group membership and object permissions.
PKI Suite
back to top
|
Windows 2000 PKI Standards |
| Standard |
Description |
| Authenticode |
Digital signatures that verify
software origin, authenticity, and integrity. |
| Certificate Revocation List
(CRL) |
Certificates that have been
compromised. |
| IP Security (IPSec) |
Encryption of IP |
| Smart Card |
ISO standards |
| Public Key Cryptography for
Initial Authentication in Kerberos |
Authentication using Kerberos 5 |
| Public Key Cryptography
standards |
Message standards and formats |
| Secure Sockets Layer (SSL) |
HTTPS |
| Server Gateway Cryptography
(SGC) |
128 bit session key and
authorized CA |
| Transport Layer Security (TLS) |
Implemented along with SSL |
| Public Key Infrastructure |
IETF draft for interoperable PKI |
The above components set standards
for the following:
User authentication with smart
cards, Authenticode, Security Context Management, DES hardware (encryption
algorithms), and Encryption File Service (EFS)
Internet
Information Services Security
back to top
| Access Type |
Description |
When to Use |
| Anonymous |
Default
Access by IUSER_[computername] account
Member of guest group. |
Public, low risk websites
Within an intranet |
| Basic Authentication |
Requires username and password
to access Not very secure--credentials
are encoded using UUEncoding, easy to crack |
Low security, non Windows
No browser support
Extranet--security necessary but data not
confidential |
| Digest Authentication |
Same as Basic, but requires
Windows 2000 and IE 5.0 Security
credentials are hashed. |
Security needed, data
sensitive. |
| Integrated Authentication |
Most secure, packets are
encrypted. Passwords are not
exchanged.
Access is transparent |
Windows 2000 domains using IE
Requesting services from non Windows 2000
system. |
If you are using Anonymous access
combined with other forms, anonymous is attempted first.
Access permissions are configured
in the IIS console: Read, Write, Execute (run scripts)
You can combine NTFS and IIS
permissions on specific folders or files within the web root.
(Inetpub\wwwroot by default)
|