Configuring ISA Server Authentication

ISA Server Authentication Options

You can configure which authentication method ISA Server will use to authenticate users that connect using Web Proxy clients. ISA Server supports the following authentication methods:
- Basic authentication Basic authentication sends and receives user information as plaintext and does not use encryption. Basic authentication is the least secure authentication method that ISA Server supports. However, because basic authentication is part of the HTTP specification, most browsers support it.
- Digest authentication Digest authentication passes authentication credentials through a process called hashing. Hashing creates a string of characters based on the password but does not send the actual password across the network, ensuring that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all the domain controllers are running Microsoft Windows 2000 or Windows Server 2003 and client computers are running Internet Explorer 5 or later. Digest authentication also works only if the domain controller has a reversibly encrypted copy of the requesting user’s password stored in Active Directory. This is not the default configuration, and so you must enable this. Storing a password in reversible encryption is significantly less secure than the Active Directory default, in which the password is stored in a one-way hash.
- Integrated Windows authentication Uses either the Kerberos version 5 authentication protocol or NTLM protocol, both of which do not send the user name and password across the network. Integrated Windows authentication works with Internet Explorer 2.0 or later. Use Integrated Windows authentication when all the client computers use Internet Explorer. Integrated Windows authentication is the default authentication method used by members of the Windows 2000 Server and Windows Server 2003 families.
- Digital certificates authentication Requests a client certificate from the client before allowing the request to be processed. Users obtain client certificates from a certification authority that can be internal to your organization or a trusted external organization. Client certificates usually contain identifying information about the user and the organization that issued the client certificate. Client certificates are more commonly used to authenticate Internet users rather than internal users trying to access the Internet. Web Proxy clients do not support client certificate authentication.
- Remote Authentication Dial-In User Service RADIUS is an industry-standard authentication protocol. A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response. RADIUS authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet.

ISA Server Clients and Authentication
The ISA Server authentication that you choose depends on the type of ISA Server client you have deployed in your organization.

SecureNAT Clients For SecureNAT clients, there is no user-based authentication. You can restrict access to the Internet based only on network rules and other access rules. If an access rule requires authentication, SecureNAT clients will be blocked from accessing the resources defined by the rule.

Firewall Clients When ISA Server authenticates a Firewall client, it uses the credentials of the user making the request on the computer running the Firewall client. Because ISA Server requests credentials when a session is established, no client configuration is required to enable authentication of users who gain access to ISA Server by using a Firewall client. When the Firewall client requests an object, ISA Server does not ask the client to authenticate, because the session already has an identity.

Web Proxy Clients Web Proxy clients do not automatically send authentication information to the ISA Server computer. By default, ISA Server requests credentials from a Web Proxy client only when processing a rule that restricts access based on a user set element. You can configure which method the client and ISA Server use for authentication.

You can also configure ISA Server to require authentication for all Web requests. When a Web Proxy client requests HTTP content and all users are required to authenticate, ISA Server will always ask for user credentials before checking the firewall policy. Otherwise, ISA Server will try to determine if the first rule (of the ordered firewall policy) matches the client request. If the rule seems to match, but ISA Server requires client authentication to validate the match, ISA Server will request that the client authenticate.

MCP 70-299 : Planning and Configuring an Authentication Strategy

Lesson 1: Understanding the Components of an Authentication Model :

The Difference Between Authentication and Authorization :

The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver’s license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.

Storing User Credentials :

The server that authenticates the user must be able to determine that the user’s credentials are valid. To do this, the server must store information that can be used to verify the user’s credentials. How and where this information is stored are important decisions to make when designing an authentication model.

Lesson Summary :

■ Authentication is the process of proving your identity. In Windows networks, users frequently authenticate themselves using a user name and password pair. How the user name and password are communicated across the network has changed with different versions of Windows.
■ Earlier versions of Windows use LM authentication, which is still supported by Windows Server 2003 for backward compatibility but carries with it potential security vulnerabilities. LM authentication should be disabled whenever compatibility with Windows 95 or Windows 98 is not required.
■ If LM authentication cannot be disabled, the storage of the LMHash can be avoided for specific user accounts by using passwords greater than 14 characters or passwords that contain special ALT characters.
■ Newer versions of Windows use NTLMv1, NTLMv2, or Kerberos authentication. The Kerberos protocol is designed to be more secure and scalable than NTLM authentication.
■ Local passwords are stored and maintained by the Local Security Authority (LSA). The LSA is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
■ Windows Server 2003 and the Resource Kit include the Kerbtray.exe, Klist.exe, and CmdKey.exe tools for troubleshooting Kerberos authentication problems.

Lesson 2: Planning and Implementing an Authentication Strategy :

Considerations for Evaluating Your Environment :

When evaluating your environment, identify the following:

■ The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements.

■ The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites.

■ The number of certification authorities (CAs) that are available in your organiza tion and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.

What is a strong password?

A strong password is one that can be remembered by the user but that is also complex enough to be difficult to guess. For example, *&_I5y#<.h may appear to be a good password, but the user might be forced to write it down in order to remember it, creating a significant security vulnerability. Fortunately, there are techniques for creating strong passwords that the human brain can remember.

an easy-to-remember suffix to it to make it more secure: 99Butterflies@complexpass word.com. You now have a password that is 33 characters long, uses uppercase, lowercase, and symbols, is easy to remember, and that, because of the length, is harder than the *&_I5y#<.h password to crack.

Strong password policy :

When implementing and enforcing a password policy, consider the users’ inability to remember passwords that are too complex, change too often, and are too long. When passwords are too complex or too long, the eventuality that users will use other methods to remember their passwords, such as writing them down, is more likely.

Password Complexity is enforced by default in the Windows Server 2003 environment. The Password Complexity feature requires that passwords:
■ Do not contain all or part of the user’s account name.
■ Be at least six characters in length.
■ Contain characters from three of the following four categories:
❑ Uppercase characters (A through Z)
❑ Lowercase characters (a through z)
❑ Base 10 digits (0 through 9)
❑ Non-alphabetic characters (for example, !, $, #, %).

Windows 2003 Authentication Methods for Earlier Operating Systems :

Authentication protocols have improved over time and will continue to improve in the future. As a result, earlier operating systems support fewer and less secure authentication protocols than newer operating systems. By default, computers running Windows Server 2003 can accept all types of authentication protocols, including LM, NTLMv2, and Kerberos, to ensure compatibility with earlier operating systems. If your organization does not require this backward compatibility, you can you can configure security policy to support only the more secure protocols, such as NTLMv2 and Kerberos.

The Network Security LAN Manager Authentication Level policy defines which authentication protocols a computer sends and accepts. This policy is contained within the Local Policies\Security Options security policy node. Table 1.6 describes the options for this policy setting. The policy settings are listed in order from least to most secure. Increasing the security of this policy reduces compatibility with earlier clients and servers.

Enabling secure authentication for domain controllers :

To configure domain controllers to reject LM authentication:

1. On a domain controller, click Start, click Administrative Tools, and then click Domain Controller Security Policy.
2. Expand Local Policies and then select Security Options
3. Double-click Network Security: LAN Manager Authentication Level. The Network Security: LAN Manager Authentication Level Properties dialog box appears.
4. Select the Define This Policy Setting check box, if it is not already selected.
5. Select Send NTLMv2 Response Only\Refuse LM, and then click OK.
6. Close the Default Domain Controller Security Settings console.
7. Click Start, and then click Run. Type gpupdate.exe, and click OK. This causes the policy to take effect on the local domain controller immediately.

Lesson Summary :

■ Use security policy settings to configure authentication requirements.
■ Implement a strong password policy in your organization to reduce the likelihood that your users’ credentials will be compromised.
■ Although you can enforce complex passwords by using security policy in Windows Server 2003 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords.
■ An account lockout policy prevents malicious attackers from logging on by continually guessing passwords; however, it enables malicious attackers to perform a denial-of-service attack that denies valid users from successful authentication.
■ Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials, but long enough to minimize the number of tickets that clients request.
■ Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
■ Any application that has the Certified for Windows Server 2003 logo has been tested to ensure that it will function in environments that require multifactor authentication.

Lesson 3: Configuring Authentication for Web Users :

Configuring Anonymous Access for Web Users :

Most public Web sites on the Internet allow anonymous access for at least a portion of the site. In other words, the general public can retrieve pages from the Web server without providing credentials. This does not mean that authentication is not taking place, however. Any user or process that accesses a file or other network resource must do so in the context of a security principal (a user, a computer, or a service account). When Internet Information Services (IIS) accesses files to be sent to an anonymous user, it uses a specified user account to access those files. When anonymous access is not allowed, users must provide their own credentials.

Configuring Web Authentication :

This chapter has already described three authentication protocols: LM, NTLM, and Kerberos.
However, none of these protocols can be used by a Web browser to authenticate a user to a Web server because Web browsers and Web servers can use only Hypertext Transfer Protocol (HTTP) to communicate. Web browsers must authenticate to Web servers using an authentication protocol that is contained within HTTP. Administrators configuring an IIS server have several authentication options that differ in how they pass the credentials to IIS and which browsers support them:

■ Basic Authentication. Selecting this option enables browsers to submit the user’s password in an encoded format that is equivalent to clear text. If the authentication traffic is intercepted, an attacker could easily determine the user’s password.
While this authentication method is vulnerable to being intercepted, it is supported by a wide range of browsers.
■ Digest Authentication For Windows Domain Servers. Selecting this option allows the Web browser to submit the user’s password in an MD5 hash. If digest authentication traffic is intercepted, an attacker would be able to easily determine the user’s password.
■ Integrated Windows Authentication. Selecting this option enables Kerberos v5 authentication and NTLM authentication within the Web requests. This allows the Web browser to send the user’s password in the form of a hash without requiring the user’s password to be stored using reversible encryption.
■ .NET Passport Authentication. Select this option if your organization is using the .NET Passport service for authentication. .NET Passport provides a central authentication service that many different organizations can use and allows users to authenticate themselves to many different, unrelated Web sites.