Share via


Web Server Authentication and Permissions

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

To provide security, each virtual directory that is mapped by the Web Server has associated authentication values and permission values that correspond, respectively, to the A and P values that are identified in the registry key for that virtual directory.

The authentication and permissions checks that are performed by the Web Server should not be confused with a secure connection. Therefore, all data (with the exception of Microsoft Windows NT Challenge/Response (NTLM) passwords) that is sent between the client browser and the server is in plain text. Note that Basic authentication is vulnerable to packet sniffing, so take care when sending sensitive information to and from the server across a public or non-secure network, such as the Internet.

Aa926209.security(en-us,MSDN.10).gifSecurity Note:
If the Web Server is used without appropriate values set for the User List and the Domain variables, as is the default setting, it becomes vulnerable to attacks. A malicious user must only guess the device's password, as set in Control Panel, to obtain access to a server. In order to prevent such an attack the user name in the UserList registry value must be set for each of the servers that are currently running. The user will then need to log in with the specified user name and appropriate password in order to use the server.

The following topics contain more information about Web Server Authentication and Permissions

Web Server Authentication

Web Server Access Rights

Web Server Permissions

Web Server User Lists

SSL Support

SSL Client Authentication

See Also

Concepts

Web Server (HTTPD) Application Development