Configuring Token Cache for Basic Authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Basic authentication stores user tokens in a token cache. If you log on using Basic authentication with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer. There are several ways to minimize this threat:

• Do not log on, or allow anyone to log on, using Basic authentication with an account that has a high level of user logon rights.

• Configure the token cache to flush all tokens by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters FlushTokenCache registry key to any non-zero value, or set a short time span for cached user tokens by setting the Global Registry entry, UserTokenTTL, to less than the default of 15 minutes. Setting UserTokenTTL to 0 disables TTL-based flushing of tokens. When TTL-based flushing is disabled, user tokens remain cached until either IIS is restarted or the worker process is recycled. See UserTokenTTL in Global Registry Entries.

Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to restore the registry, see the "Restoring the Registry" and the "Restoring a Registry Key" topics in Registry Editor Help.

Important

Using Registry Editor incorrectly can cause serious problems that require reinstalling the operating system. Because Registry Editor bypasses the standard safeguards that prevent you from entering settings that are conflicting or likely to degrade performance or damage your system, exercise caution when making changes to the registry. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. For information about how to edit the registry, see "Changing Keys and Values" in Registry Editor Help.

Note that you should back up the registry before you edit it. If you are running Microsoft® Windows NT® Server or newer server operating system from Microsoft, you should also update your Emergency Repair Disk (ERD).

For information about how to edit the registry, see the "Changing Keys and Values", "Add and Delete Information in the Registry", and "Edit Registry Data" topics in Registry Editor Help.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Procedures

To configure token caching

1. From the Start menu, click Run.

2. In the Open box, type Regedit.exe, and click OK.

3. Navigate to and double-click the following key in the registry:

4. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters.

5. From the Edit menu, point to Add, click DWORD Value and then add the following registry value:

   Name: UserTokenTTL

   Type: REG_DWORD

   Data: number of seconds to cache user tokens, or 0 to disable token caching

6. Quit Registry Editor.

7. Restart IIS.

Related Information

• For information about setting the default logon domain, see Setting the Default Logon Domain.

• For information about the DefaultLogonDomain property, see DefaultLogonDomain Metabase Property.

• For more information about permissions, see "Access control" in Help and Support Center for Windows Server 2003.