|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
SSL vs Windows Integrated SecurityFrom a security perspective, what is the difference between these two scenario : A) Using a Login web control (.Net 2 or +) over a SSL connection B) Using windows integrated security to logon the web site Which one is the most vulnerable (hacking) ? Is there any advantage to use Windows Integrated Security over SSL ? Is there a way to use Kerberos or IPSec to protect the authentification and the communication when accessing a secured Website ? Is it a good idea, relevant, ...? Thanks -- "Who''''''''s on first ..." On Jan 26, 2:16 pm, Louis R. <Lou...@newsgroup.nospam> wrote:
Show quoteHide quote > Hi! Louis,> > From a security perspective, what is the difference between these two > scenario : > > A) Using a Login web control (.Net 2 or +) over a SSL connection > > B) Using windows integrated security to logon the web site > > Which one is the most vulnerable (hacking) ? > Is there any advantage to use Windows Integrated Security over SSL ? > Is there a way to use Kerberos or IPSec to protect the authentification and > the communication when accessing a secured Website ? Is it a good idea, > relevant, ...? > > Thanks > > -- > "Who''''''''s on first ..." Let me preface my comments by saying that no one can ever do a threat analysis (which is what you seem to be trying to do) without first understanding what your threats are, the capabilities and motivation of the attacker, and the value of the data being protected. If you are looking at Man-in-middle attacks, SSL is generally regarded as secure. Most successful attacks rely on compromise of the client computer in some way, but if that happens all bets are off anyway. Integrated Windows Authentication has the two common problems in internet authentication scenarios: 1) The user experience is poor. The user recieves few clues about what the context is for logon and the application writer has little ability to influence the flow. Deaing with forgotten passwords, for example, is often very difficult for the user and the site owner. 2) Accounts with poor passwords can be compromised by dictionary-style attacks on the authentication sequence. Doing Windows Integrated auth would certainly solve the 2nd problem. Kerberos typically will not work in internet logon scenarios since the KDC is usually not accessible. Ditto for IPSEC although the specifics are different. Most everyone these days goes with forms-based logon over SSL. For better security and user experience other options are available such as MS InfoCard but it's hard to rely on something like that before every client computer has the capability. HTH, Dave Thanks Dave,
So, ...the bottom line is that most everyone feel that forms auth and SSL are the best way to go on secured Internet App, whatever may happen. I suppose, it would be the best overall mix concerning authentification, communication encryption and resource protection. Well, it makes sense that ..NET 2 propose a "Login kit" with Web components that are set to work with membership databases, roles and so on. Is there anyone with other considerations about that ? -- Show quoteHide quote"Who''''''''s on first ..." "DaveMo" wrote: > On Jan 26, 2:16 pm, Louis R. <Lou...@newsgroup.nospam> wrote: > > Hi! > > > > From a security perspective, what is the difference between these two > > scenario : > > > > A) Using a Login web control (.Net 2 or +) over a SSL connection > > > > B) Using windows integrated security to logon the web site > > > > Which one is the most vulnerable (hacking) ? > > Is there any advantage to use Windows Integrated Security over SSL ? > > Is there a way to use Kerberos or IPSec to protect the authentification and > > the communication when accessing a secured Website ? Is it a good idea, > > relevant, ...? > > > > Thanks > > > > -- > > "Who''''''''s on first ..." > > Louis, > > Let me preface my comments by saying that no one can ever do a threat > analysis (which is what you seem to be trying to do) without first > understanding what your threats are, the capabilities and motivation > of the attacker, and the value of the data being protected. > > If you are looking at Man-in-middle attacks, SSL is generally regarded > as secure. Most successful attacks rely on compromise of the client > computer in some way, but if that happens all bets are off anyway. > > Integrated Windows Authentication has the two common problems in > internet authentication scenarios: > > 1) The user experience is poor. The user recieves few clues about what > the context is for logon and the application writer has little ability > to influence the flow. Deaing with forgotten passwords, for example, > is often very difficult for the user and the site owner. > 2) Accounts with poor passwords can be compromised by dictionary-style > attacks on the authentication sequence. > > Doing Windows Integrated auth would certainly solve the 2nd problem. > > Kerberos typically will not work in internet logon scenarios since the > KDC is usually not accessible. Ditto for IPSEC although the specifics > are different. > > Most everyone these days goes with forms-based logon over SSL. For > better security and user experience other options are available such > as MS InfoCard but it's hard to rely on something like that before > every client computer has the capability. > > HTH, > Dave > Hi Louis,
Actually my understanding is that SSL and integrated auth work on different layers and there is no direct relation or conflict between them. SSL offers data encryption of HTTP transmission. Windows integrated authentication is an authentication type which is considered more secure than other methods like Basic auth. However it may not be so flexible like form based authentication that is widely used by most of Internet sites. In case what you are working on is a public web site on the Internet, my recommandation is SSL + Form based authentcaiton. If it's an Intranet site, SSL + Integrated auth might be better. Furthermore Kerberos is one of the protocols used by integrated auth, another one is NTLM. Let us know if you have any further question on this. Have a great weekend. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Louis,
Just wonder if you have any further question on this? Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. 
Other interesting topics
Unable to upload files over 1MB
dynamic client authentication Managing IP restrictions in IIS 6.0 - nightmare! Multiple website in single IP, host header and SSL problem Delegation: IIS Server setup in typical 3-tier scenario. IIS authentication (kerberos and Integrated security) Re: Authentication prompts with wrong domain https and Local System account IIS 7.0 Full install on Vista Ult. 64-bit SP1 Virtual Server acces URLScan for RPC over HTTP |
|||||||||||||||||||||||
