|
Home > Archive > IIS Server Security > November 2005 > Security problem in IE login prompt...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Security problem in IE login prompt...
|
|
|
| Hi,
Please enlighten why IIS Server ( running on a domain in Win2003 ) allow the
IE 6.0 client to login with just username and password only, without keyin
the domain name before the username in the login prompt ?
Is it a security problem in IIS Server in Windows authentication mode ?
ANy help pls on setting ?
thanks
| |
| Miha Pihler [MVP] 2005-11-02, 5:52 pm |
| This depends on IIS configuration. If you configure IIS properly it will not
require domain name...
--
Mike
Microsoft MVP - Windows Security
"Wan" <Wan@discussions.microsoft.com> wrote in message
news:C2B8BAC9-F9BF-40DE-9592-AF2B413A7323@microsoft.com...
> Hi,
> Please enlighten why IIS Server ( running on a domain in Win2003 ) allow
> the
> IE 6.0 client to login with just username and password only, without keyin
> the domain name before the username in the login prompt ?
>
> Is it a security problem in IIS Server in Windows authentication mode ?
>
> ANy help pls on setting ?
> thanks
| |
|
| Hi Mike,
But I need user to key in the domain name with user name as well in the
login prompt e.g. microsoft.com\administrator.
Currently, my IIS allow the user to login even without key in the domain name.
How to enforce the user to key in the domain name ?
"Miha Pihler [MVP]" wrote:
> This depends on IIS configuration. If you configure IIS properly it will not
> require domain name...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "Wan" <Wan@discussions.microsoft.com> wrote in message
> news:C2B8BAC9-F9BF-40DE-9592-AF2B413A7323@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-11-08, 6:28 pm |
| Hi,
Why do you want to torture your users? :-) Entering domain name doesn't add
anything to security...
If you really want to do this, open IIS and right click your site and then
click on Directory Security. Click on Edit button under Authentication
(first button from top to bottom). Under Default Domain user (on the bottom)
remove current value -- leave it blank. If this doesn't help you can try and
enter name of domain that doesn't exist...
I believe this should force your users to also enter domain name...
--
Mike
Microsoft MVP - Windows Security
"Wan" <Wan@discussions.microsoft.com> wrote in message
news:DB0441E2-8E6A-4BA6-AA45-A4F9DDA6719F@microsoft.com...[vbcol=seagreen]
> Hi Mike,
> But I need user to key in the domain name with user name as well in the
> login prompt e.g. microsoft.com\administrator.
> Currently, my IIS allow the user to login even without key in the domain
> name.
> How to enforce the user to key in the domain name ?
>
>
> "Miha Pihler [MVP]" wrote:
>
| |
|
| Hi Mike,
Thanks for your response.
The reason why i need user to specify the domain is because there are more
than 1 IIS servers running in different domains respectively. i think it
would be better to differentiate between the same userid in multiple IIS
domains when entering username in the IE login prompt.
Ok, I went to the Authentication Methods dialog in IIS,but the default
domain is already blank and also disabled . FYI, I only checked Integrated
Windows Authentication.
PLease enlighten me ?
Thanks
"Miha Pihler [MVP]" wrote:
> Hi,
>
> Why do you want to torture your users? :-) Entering domain name doesn't add
> anything to security...
>
> If you really want to do this, open IIS and right click your site and then
> click on Directory Security. Click on Edit button under Authentication
> (first button from top to bottom). Under Default Domain user (on the bottom)
> remove current value -- leave it blank. If this doesn't help you can try and
> enter name of domain that doesn't exist...
>
> I believe this should force your users to also enter domain name...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Wan" <Wan@discussions.microsoft.com> wrote in message
> news:DB0441E2-8E6A-4BA6-AA45-A4F9DDA6719F@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-11-08, 6:28 pm |
| You would have to enable only "Basic Authentication", but note that if you
do -- usernames and password will be sent to the server in clear text. You
should use e.g. SSL to protect these information between client and server.
--
Mike
Microsoft MVP - Windows Security
"Wan" <Wan@discussions.microsoft.com> wrote in message
news:702046F5-DCCF-4C19-A976-82D6C7FB0FDE@microsoft.com...[vbcol=seagreen]
> Hi Mike,
> Thanks for your response.
> The reason why i need user to specify the domain is because there are more
> than 1 IIS servers running in different domains respectively. i think it
> would be better to differentiate between the same userid in multiple IIS
> domains when entering username in the IE login prompt.
>
> Ok, I went to the Authentication Methods dialog in IIS,but the default
> domain is already blank and also disabled . FYI, I only checked
> Integrated
> Windows Authentication.
> PLease enlighten me ?
> Thanks
>
>
> "Miha Pihler [MVP]" wrote:
>
| |
|
| Hi Mike,
What if I dont require SSL because they are just intranet servers. Any other
backdoor way , e.g. changing the registry or setting at the policy ?
Thanks
"Miha Pihler [MVP]" wrote:
> You would have to enable only "Basic Authentication", but note that if you
> do -- usernames and password will be sent to the server in clear text. You
> should use e.g. SSL to protect these information between client and server.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Wan" <Wan@discussions.microsoft.com> wrote in message
> news:702046F5-DCCF-4C19-A976-82D6C7FB0FDE@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-11-08, 6:28 pm |
| Hi,
<snip>
> What if I dont require SSL because they are just intranet servers.
If you consider this safe on your LAN that it is OK.
> Any other backdoor way , e.g. changing the registry or setting at the
> policy ?
Not that I am aware of...
--
Mike
Microsoft MVP - Windows Security
|
|
|
|
|