Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / February 2006

Tip: Looking for answers? Try searching our database.

Basic authentication against automated attacks

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bulent - 28 Feb 2006 00:16 GMT
Is basic authentication useful against automated attacks (e.g. those
attacks using buffer overflows).  

Regards,
Bulent
Reply to this Message
Ken Schaefer - 28 Feb 2006 03:19 GMT
It depends if the buffer overflow occurs in a component that's invoked
before/after the Authentication process is invoked.

If there's a buffer overflow in the TCP/IP stack, then that can be exploited
before IIS even sees the request.

Cheers
Ken

: Is basic authentication useful against automated attacks (e.g. those
: attacks using buffer overflows).
:
: Regards,
: Bulent
Reply to this Message
Bulent - 28 Feb 2006 04:10 GMT
Ken,

Thank you for your quick response.

I assume that a much greater number of components would be involved
"after" the authentication process.  If this assumption is correct, is
it fair to say that basic authentication (with SSL) would minimise the
risk of such attacks (buffer overflow) being successful.

Thanks again,
Bulent
Reply to this Message
Ken Schaefer - 28 Feb 2006 04:18 GMT
: Ken,
:
[quoted text clipped - 4 lines]
: it fair to say that basic authentication (with SSL) would minimise the
: risk of such attacks (buffer overflow) being successful.

Yes.  Anything that prevents the payload from getting to the vulnerable
component would help.

So, requiring SSL would stop any attack that only operated over HTTP
Using Host-Headers would stop any attack that didn't supply a Host: HTTP
header
Using Basic Auth (or any Auth) would stop attacks that couldn't supply a
username/password

All of this does assume that the affected component is after the barrier.

Mostly this will stop automated attacks - manual attacks are a different
matter (but generally manual attacks would be directed against valuable
servers, not a server you might have sitting at home running your personal
website).

Cheers
Ken
Reply to this Message
Bulent - 28 Feb 2006 05:04 GMT
This is the answer I needed.

Thank you very much.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.