feature
What security is there in Microsoft IIS?
There are four security features. Two of them are standard to almost every application, and two are relevant to most networked applications.
Standard features
- Client authentication IIS gives you various authentication options to check who clients are, using an ID/password combination which is held in the NT user list for the Web server. The facility can be a mixed blessing, since the primary authentication method that's practicable over the Internet -Basic Authentication -sends easily-decipherable information over the network, and may do more to reveal information to hackers than to secure the site.
IIS Web file permissions
As NT has an access control system which allocates file and directory access rights to users, so IIS has a parallel system to secure Web pages.
Network features
Client IP address
You can specify inclusion lists (just certain named IP addresses can access the site) or exclusion lists (everyone except certain addresses can access the site). Obviously, most sites want to welcome as many visitors as possible, but the restriction is useful when administering intranets, to allow some segregation of information, and to restrict the opportunities for remote administration.
Session encryption
It's well worth the site acquiring a digital certificate and a public key encryption pair. Once installed, you will be able to use the SSL protocol, which encrypts sessions between the server and clients. This means that, providing you set the options for the site correctly, Basic Authentication will be much safer.