intanet authentication

[lizzi]

Hi
I´m wonder. At my work we have an intranet and it´s connected to our novell login. The authentication is: allow anonymous and integrated windows authentication. The intranet is accesible through internet. You just type in the right user and passw. It´s working great but my question is: does the allow anonymous have to be enabled? Since we almost must log on to the intranet can´t we just disable this checkbox? At

http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html

they recommend to turn off integrated windows authentication. I understand it doesn´t have to be enabled at a common website. But why anyway? Isn´t this the strongest authentication method.

/lizzi

 

[Lostwages]

Allow anonymous should not need to be checked, but that is the recomended way to run a server that is connected to the internet. The reason you should not use Windows Authentication, is because it requires your microsoft ports like 135 to be available to encrypt the passwords before the authentication part. Through the internet, these ports are blocked. That means your secure Windows passwords are sent in clear text through http port 80 until it hits the webserver and then is authenticated against the Windows account. So sure it is secure once it gets to the server, but it is the other part of the journey that causes the problems. Hope that helps,

-Todd


Learn Windows 2003 Server Videos:

http://www.learnwindowsserver.com/

 

[lizzi]

Thanks for your answer. Do you have any better solution to force the visitators to log on to our intranetserver or is this the way we have to solve it - even if it´s not safe?