IE Settings for Windows Authentication

I have an application that may require the following IE 6 configurations:

-Enable Integrated Windows Authentication
-Local Zone - Automatic logon with current username and password
-Internet Zone - Automatic logon with current username and password

What security risks go along with these settings?
WhahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
hi Whah,

briefly speaking, you are using windows authentication with IE, the risks depend on what kind of windows and what kind of authentication method you particually use. IE uses cryptographic exchanges between clients and servers to ensure the clients’ authentication.

for windows 9x/me/NT platforms, you have to use SAM database and NTLM authentication protocol, which are vulnerable to readily available password cracking programs. w2k/xp/2k3 computers may also use these if they have to keep backward compatibilty with the early systems on the network. IE working on such systems may have the risks mentioned above.

for a complete w2k/xp/2k3 environment, Kerberos is the default network authentication protocol between the computers joined in a domain. stand-alone systems, interactive logon, and authentication between the systems and down-level clients do not. domain accounts and passwords of w2k/xp/2k3 are not kept in the SAM and thus are not vulnerable to these particular programs, so IE working on these systems should be OK.

additionall, IE6 supports the latest internet security standards for client and server authentication, including SSL and TLS, so it can use these protocols to create a secure channel for information exchange over the web.

hope it helps,
bbao

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WhahAuthor Commented:
I have a Web application that users will access from the intranet.  Is there a risk that the settings above will pass username and password to servers, applications or sites when they are browsing the internet?
bbaoIT ConsultantCommented:
> Internet Zone - Automatic logon with current username and password

then, this setting should be disabled. in fact, you dont actually need it if your clients only access the web application from your intranet.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.