|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
automatic login with current username and passwordWhat is the risk of turning this setting on? Does it really send my
password (over the internet) to thte destination web server? Could someone on the webserver end hack this password and use it to infiltrate my network (let's assume that some one does have the ability to hack these things)? Not really sure how vulnerable this makes my network. By default this is enabled for (a) the Intranet security zone and (b) only
when the webserver uses NTLM or Kerberos authentication (in these cases, the password is never sent in the clear). The risk you run is if the password is sent in clear text automatically to sites on the internet. I would no recommend changing the default setting. What is the problem you are trying to solve here? Cheers Ken Show quoteHide quote "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message news:%23ZIK$PbtGHA.2020@TK2MSFTNGP03.phx.gbl... > What is the risk of turning this setting on? Does it really send my > password (over the internet) to thte destination web server? Could > someone on the webserver end hack this password and use it to infiltrate > my network (let's assume that some one does have the ability to hack these > things)? Not really sure how vulnerable this makes my network. > The problem is that I've developed some software that has a web interface
that is secured by NTLM authentication and the user setup the hostname for this site as host.domain.com. Even though this is a server on the local intranet, the fact that the host name has a period in it, it is treated as being on the internet zone. So, they had to change the authentication setting of the internet zone which they are now worried about someone browing an unauthorized website that is also setup with NTLM authentication and then that site stealing the username and password. So, I don't know if their concern is warranted (and saying it's unlikely that someone could hack the username and password is not going to satiate them). So, the question is, if a random server on the internet requires NTLM authentication and I browse to it with the "automatic login with current username and password" setting on is it possible (in ANY way) to get my username and password? Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:uAXTpsctGHA.5044@TK2MSFTNGP05.phx.gbl... > By default this is enabled for (a) the Intranet security zone and (b) only > when the webserver uses NTLM or Kerberos authentication (in these cases, > the password is never sent in the clear). > > The risk you run is if the password is sent in clear text automatically to > sites on the internet. I would no recommend changing the default setting. > > What is the problem you are trying to solve here? > > Cheers > Ken > > "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message > news:%23ZIK$PbtGHA.2020@TK2MSFTNGP03.phx.gbl... >> What is the risk of turning this setting on? Does it really send my >> password (over the internet) to thte destination web server? Could >> someone on the webserver end hack this password and use it to infiltrate >> my network (let's assume that some one does have the ability to hack >> these things)? Not really sure how vulnerable this makes my network. >> > > Basic and some Custom Authentication pass username/password over the
network. Integrated/NTLM/Kerberos does not pass the username nor password over the Network, so they are safer. NTLM is further safer in that the harvested user token cannot be used for delegation off the machine (i.e. the classic double-hop scenario). By allowing "automatic login with current username and password" you make your web browsers vulnerable to having user passwords harvested whenever they visit an Internet website with "Basic Authentication" enabled. And since you cannot control which websites out there will do the harvesting, you are opening yourself up to vulnerabilities by configuring browsers to "automatic login with current username and password" in Internet Zone. I suggest that you: 1. Leave Internet Zone as original setting (I think it is "prompt for username/password") 2. add the host.domain.com address to the local intranet Zone of IE, which should have "automatic login with current username and password". This way, browsers don't fall victim to password harvesting for Internet sites, and browser gives elevated behavior to only certain sites like host.domain.com. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message news:egidg1ctGHA.4544@TK2MSFTNGP04.phx.gbl... > The problem is that I've developed some software that has a web interface > that is secured by NTLM authentication and the user setup the hostname for > this site as host.domain.com. Even though this is a server on the local > intranet, the fact that the host name has a period in it, it is treated as > being on the internet zone. So, they had to change the authentication > setting of the internet zone which they are now worried about someone > browing an unauthorized website that is also setup with NTLM > authentication and then that site stealing the username and password. So, > I don't know if their concern is warranted (and saying it's unlikely that > someone could hack the username and password is not going to satiate > them). So, the question is, if a random server on the internet requires > NTLM authentication and I browse to it with the "automatic login with > current username and password" setting on is it possible (in ANY way) to > get my username and password? > > > > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:uAXTpsctGHA.5044@TK2MSFTNGP05.phx.gbl... >> By default this is enabled for (a) the Intranet security zone and (b) >> only when the webserver uses NTLM or Kerberos authentication (in these >> cases, the password is never sent in the clear). >> >> The risk you run is if the password is sent in clear text automatically >> to sites on the internet. I would no recommend changing the default >> setting. >> >> What is the problem you are trying to solve here? >> >> Cheers >> Ken >> >> "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message >> news:%23ZIK$PbtGHA.2020@TK2MSFTNGP03.phx.gbl... >>> What is the risk of turning this setting on? Does it really send my >>> password (over the internet) to thte destination web server? Could >>> someone on the webserver end hack this password and use it to infiltrate >>> my network (let's assume that some one does have the ability to hack >>> these things)? Not really sure how vulnerable this makes my network. >>> >> >> > > The solution is to add host.domain.com to IE's list of Intranet sites. You
can do this via a Group Policy Object (GPO) Cheers Ken Show quoteHide quote "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message news:egidg1ctGHA.4544@TK2MSFTNGP04.phx.gbl... > The problem is that I've developed some software that has a web interface > that is secured by NTLM authentication and the user setup the hostname for > this site as host.domain.com. Even though this is a server on the local > intranet, the fact that the host name has a period in it, it is treated as > being on the internet zone. So, they had to change the authentication > setting of the internet zone which they are now worried about someone > browing an unauthorized website that is also setup with NTLM > authentication and then that site stealing the username and password. So, > I don't know if their concern is warranted (and saying it's unlikely that > someone could hack the username and password is not going to satiate > them). So, the question is, if a random server on the internet requires > NTLM authentication and I browse to it with the "automatic login with > current username and password" setting on is it possible (in ANY way) to > get my username and password? > > > > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:uAXTpsctGHA.5044@TK2MSFTNGP05.phx.gbl... >> By default this is enabled for (a) the Intranet security zone and (b) >> only when the webserver uses NTLM or Kerberos authentication (in these >> cases, the password is never sent in the clear). >> >> The risk you run is if the password is sent in clear text automatically >> to sites on the internet. I would no recommend changing the default >> setting. >> >> What is the problem you are trying to solve here? >> >> Cheers >> Ken >> >> "APA" <buddy_a_NOSPAM@hotmail.com> wrote in message >> news:%23ZIK$PbtGHA.2020@TK2MSFTNGP03.phx.gbl... >>> What is the risk of turning this setting on? Does it really send my >>> password (over the internet) to thte destination web server? Could >>> someone on the webserver end hack this password and use it to infiltrate >>> my network (let's assume that some one does have the ability to hack >>> these things)? Not really sure how vulnerable this makes my network. >>> >> >> > > 
Other interesting topics
Network/Web Site Authentication
iis problems with some xp clients - kerberos issue? Network service default permissions Virtual Directory On UNC Share Not Writable changing "CN" name IIS + SQL (Not enough storage is available to complete this operation) Grant Users Permissions to Modify IIS without Having Full Admin Ri HTTP 405: The HTTP verb used to access this page is not allowed Application Pool Identity IIS 5.0 vs IIS 6.0 |
|||||||||||||||||||||||
