What types of website authentication methods are safe (safest) over the Internet?

Posted on 2011-05-05
Last Modified: 2012-05-11
I have two sites that I'm thinking about right now.  One is a SharePoint intranet site.  The other is a ticketing system site.

The SharePoint site is a basic site that is used primarily for links, announcements, and an office calendar.  It doesn't have anything of secure nature on it, but that doesn't mean I'm not worried about security.  The site is setup in IIS 6.0.  It's using the free version of SharePoint on a 2003 server.  It is accessible on the Internet, which makes me question its security.  It is on a site that does not have SSL encryption.  But it is using Integrated Authentication.  From what I've read, Integrated Authentication is encrypted?  Is that true?  How safe is it without an SSL connection?

The ticketing system site is even worse, I think.  It is on a 2008 box in IIS.  We do not have it available outside of our network, but we would like to.  It is not using an SSL connection.   I looked at the authentication method in IIS, and it said it was using Anonymous.  I looked up Anonymous Authentication, but couldn't figure out much about it.  Is it encrypted?  The weird part (at least it's weird to me), is that once on the site, you still have to log in.  But apparently that's not website authentication?  I don't quite get that.  When people enter their credentials at that point, is it safe?

I just don't know anything about website authentication.  I don't know much about authentication in general.  Can anyone clarify all of this for me?
Question by:silver1386
    LVL 38

    Accepted Solution

    I'll take the easy one. Anonymous is the iis default so that everyone can access the site without logging in. Basically a public site.
    Now that just means that iis isn't stopping a visitor from accessing stuff, you can still have access rules on individual pages in code.
    The main reason I use something other than anonymous is to restrict access to my staging subdomain. I never use it for actual site logins using windows users but I'm not a sharepoint AD shop.
    LVL 12

    Assisted Solution

    Here I see to topics, one is about authentication and the other is about information traffic trought internet.

    The integrated authentication method is good in terms of security, because uses NTLMv2 or Kerberos what are secure auth methods.

    This authentication allow you to enter to see the information in the site or html server. But then the traffic sent to client computer is sent in text format, without encryption and if anyone put a sniffer in your lan or in a internet coffe he could see your information.

    There are many ways to secure your information, the authentication method is good, but you have to secure your site with a cert and enable ssl to use https and in this way, the information in Internet is encrypted.

    Another way is to disable direct access to internet and allow access trought VPN. In a VPN all the traffic is encrypted.

    Ant talking about your ticket system, there are two things refering to authentication. One is site authentication to ISS, that is anonymous. What it mean is that you don't need a username/password in your server or domain network to access the site. This app uses form based authentication, and the users are created in the database of the software. You can enable integrated authentication to secure a little more your ticket site, but then your information would be sent in clear text too.

    Here about auth

    and here about use ssl


    Expert Comment

    NTLM with SSL would be the most secure.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
    This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now