• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

What types of website authentication methods are safe (safest) over the Internet?

I have two sites that I'm thinking about right now.  One is a SharePoint intranet site.  The other is a ticketing system site.

The SharePoint site is a basic site that is used primarily for links, announcements, and an office calendar.  It doesn't have anything of secure nature on it, but that doesn't mean I'm not worried about security.  The site is setup in IIS 6.0.  It's using the free version of SharePoint on a 2003 server.  It is accessible on the Internet, which makes me question its security.  It is on a site that does not have SSL encryption.  But it is using Integrated Authentication.  From what I've read, Integrated Authentication is encrypted?  Is that true?  How safe is it without an SSL connection?

The ticketing system site is even worse, I think.  It is on a 2008 box in IIS.  We do not have it available outside of our network, but we would like to.  It is not using an SSL connection.   I looked at the authentication method in IIS, and it said it was using Anonymous.  I looked up Anonymous Authentication, but couldn't figure out much about it.  Is it encrypted?  The weird part (at least it's weird to me), is that once on the site, you still have to log in.  But apparently that's not website authentication?  I don't quite get that.  When people enter their credentials at that point, is it safe?

I just don't know anything about website authentication.  I don't know much about authentication in general.  Can anyone clarify all of this for me?
0
silver1386
Asked:
silver1386
2 Solutions
 
Aaron TomoskyTechnology ConsultantCommented:
I'll take the easy one. Anonymous is the iis default so that everyone can access the site without logging in. Basically a public site.
Now that just means that iis isn't stopping a visitor from accessing stuff, you can still have access rules on individual pages in code.
The main reason I use something other than anonymous is to restrict access to my staging subdomain. I never use it for actual site logins using windows users but I'm not a sharepoint AD shop.
0
 
serchlopCommented:
Here I see to topics, one is about authentication and the other is about information traffic trought internet.

The integrated authentication method is good in terms of security, because uses NTLMv2 or Kerberos what are secure auth methods.

This authentication allow you to enter to see the information in the site or html server. But then the traffic sent to client computer is sent in text format, without encryption and if anyone put a sniffer in your lan or in a internet coffe he could see your information.

There are many ways to secure your information, the authentication method is good, but you have to secure your site with a cert and enable ssl to use https and in this way, the information in Internet is encrypted.

Another way is to disable direct access to internet and allow access trought VPN. In a VPN all the traffic is encrypted.

Ant talking about your ticket system, there are two things refering to authentication. One is site authentication to ISS, that is anonymous. What it mean is that you don't need a username/password in your server or domain network to access the site. This app uses form based authentication, and the users are created in the database of the software. You can enable integrated authentication to secure a little more your ticket site, but then your information would be sent in clear text too.

Here about auth
http://www.tech-faq.com/user-authentication-in-iis.html

and here about use ssl
http://support.microsoft.com/kb/299875

0
 
jcbowerCommented:
NTLM with SSL would be the most secure.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now