Basic Authentication (IIS 6.0)
The Basic authentication method is a widely used industry-standard method for collecting user name and password information. When you use Basic authentication, the browser displays a dialog box into which users are required to enter a previously assigned Windows account user name — which includes a Windows domain name, for example, Domain1\User1 — and password, which are also known as credentials. The browser then attempts to establish a connection to a server using the user's credentials. The plaintext password is Base64-encoded before it is sent over the network.
One advantage of Basic authentication is that it is part of the HTTP specification and is supported by most browsers. However, Base64 encoding is not encryption. Web browsers that use Basic authentication transmit passwords in an unencrypted form. If a Base64-encoded password is intercepted over the network by a network sniffer, unauthorized users can easily decode and reuse the password. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server has been secured, for example, with a dedicated line or an SSL connection. For more information about SSL, see SSL and Certificates.
If a user's credentials do not correspond to a valid Windows user account, Internet Explorer displays a dialog box into which the user re-enters his or her credentials. Internet Explorer — not IIS — allows the user three connection attempts before it terminates the connection and reports an error to the user. If a user's credentials correspond to a valid Windows user account, a connection is established.
Basic authentication does not automatically configure your Web server to authenticate users; to require authentication, you must also disable anonymous access. As a security best practice, you should create Windows user accounts with NTFS permissions correctly set. For step-by-step instructions for configuring Basic authentication, see Basic Authentication in IIS 6.0.
In IIS 6.0, the default logon type for Basic authentication (and Anonymous authentication) is NETWORK_CLEARTEXT. This is a change from earlier versions of IIS, in which the default logon type is INTERACTIVE. As a result of this change, when you use the default logon type for Basic authentication, users no longer need interactive logon rights. Basic authentication works with domain controllers, and the NETWORK and NETWORK_CLEARTEXT settings no longer require logon rights. Table 5.4 lists the logon types that are available for Basic authentication and Anonymous authentication.
For more information, see the LogonMethod Metabase Property.
Token Cache Security Considerations
When you use Basic authentication, user tokens are cached in the token cache. By default, tokens remain in the cache for 15 minutes. If you log on using Basic authentication with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer. There are several ways to help minimize this threat:
If you use Basic authentication and disable the token cache, IIS must log on for every request made — potentially thousands for a requested Web page. This will have a negative effect on performance. For more information, see Balancing Performance and Security.
For information about editing the registry, see the Registry Reference.