Mitigate the risk of broken authentication

The IIS web server can be configured to authenticate each HTTP request or the TCP connection with a Kerberos ticket. With Airlock Gateway, HTTP requests from different users are sent over the same TCP connection to the back-end server. Under these circumstances, it is important that the IIS web server re-authenticates each request.

Chapter-related warnings

HIGH – Mitigate the risk of broken authentication

Implement one of the actions listed below to mitigate the risk:

KeepAlive configuration for back-end connections
Follow the appropriate chapter to disable authPersistNonNTLM:

Disable authPersistNonNTLM in IIS 7.5
Disable authPersistNonNTLM in IIS 8.5
Disable authPersistNonNTLM in IIS 10.0

Chapter content

11.9.6.3.2.3.1. KeepAlive configuration for back-end connections

11.9.6.3.2.3.2. Disable authPersistNonNTLM in IIS 10.0

11.9.6.3.2.3.3. Disable authPersistNonNTLM in IIS 8.5

11.9.6.3.2.3.4. Disable authPersistNonNTLM in IIS 7.5