IIS: Use SSL when you use Basic authentication
Applies To: Windows Server 2008 R2
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2008 R2 |
Product/Feature |
Internet Information Services |
Severity |
Error |
Category |
Security |
Issue
Basic authentication is enabled for configuration path '<ConfigurationPath>' but it lacks a required SSL binding.
Example configuration path: MACHINE\WEBROOT\APPHOST\Default Web Site\My App
Impact
If you use Basic authentication without SSL, credentials will be sent in clear text that might be intercepted by malicious code.
Resolution
Use Basic authentication with an SSL binding, and make sure that the site or application is set to require SSL. Alternatively, use a different method of authentication.
If you want to continue using Basic authentication, you will need to check the site bindings to make sure that an HTTPS binding is available for the site, and then configure the site to require SSL. To do this by using IIS Manager, follow the steps in the next section. If you want to use another type of authentication, see the section "To use another type of authentication."
To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To use Basic authentication with SSL
Click Start, click Control Panel, and then click Administrative Tools.
Right-click Internet Information Services (IIS) Manager and select Run as administrator.
In the Connections pane on the left, select the computer you want to configure.
In the Connections pane, expand the computer that you selected, then expand Sites.
In the Connections pane, select the site that you want to configure.
In the Actions pane, click Bindings. The Site Bindings dialog appears.
If an HTTPS binding is visible, click Close and see the section "To require SSL" later on this page. If no HTTPS binding is visible, perform the following steps.
To add an HTTPS binding
In the Site Bindings dialog, click Add. The Add Site Binding dialog appears.
Under Type, select https.
Under SSL certificate, select an SSL certificate.
Click OK.
Click Close.
To require SSL
In Features View, double-click SSL Settings.
On the SSL Settings page, select Require SSL.
In the Actions pane, click Apply.
To use another type of authentication
Click Start, click Control Panel, and then click Administrative Tools.
Right-click Internet Information Services (IIS) Manager and select Run as administrator.
In the Connections pane on the left, select the computer you want to configure.
In the Connections pane, expand the computer that you selected, then expand Sites.
In the Connections pane, select the site that you want to configure.
In Features View, double-click Authentication.
On the Authentication page, select Basic Authentication.
In the Actions pane, click Disable.
On the Authentication page, select a different kind of authentication.
In the Actions pane, click Enable.
Note
Anonymous authentication is selected by default.