IIS 6 Administration
|
|
Websites running on IIS can also be secured using an extra layer of security called Secure Sockets Layer (SSL), an encryption technology first developed by Netscape. SSL uses public key cryptography to establish an encrypted session key to ensure that communication between a web server and client is private and not open to eavesdropping. To use SSL on IIS, you need to obtain a digital certificate from a certificate authority (CA) and install it on your server as a server certificate. This certificate both encrypts communications and guarantees the identity of the server to the client, ensuring trust so that the client is willing to submit sensitive information such as user credentials, credit card info, and so on. Commercial certificate authorities from which you can purchase server certificates for your web server include these companies:
-
Verisign (www.verisign.com)
-
GeoTrust (www.geotrust.com)
-
GlobalSign (www.globalsign.com)
-
Thawte (www.thawte.com)
-
IT Institute (www.wholesaleurl.com)
Prices and services differ for these sites, and some of them, such as Verisign, offer free trial offers. Purchasing a server certificate from a public CA like Verisign is important if you plan to use SSL to run e-commerce applications on your IIS machine, because browsers like Internet Explorer have root certificates from many of these companies preinstalled. This allows users to use their browser to connect to SSL-enabled sites and be sure that their communications are private, so they can confidently submit their credit card or bank account information to purchase products and services or make other financial transactions.
SSL can also ensure secure communication between remote employees and company intranets in an intranet environment. In this case, an alternative to purchasing server certificates from public CAs is to set up your own internal CA on your company network. Microsoft provides such a tool for the Windows Server 2003 platform—Certificate Services, an optional component you can install using Add Or Remove Programs. Using Certificate Services, you can set up different types of CAs on your network and manage them yourself, including
-
Enterprise CA This type of CA is integrated into Active Directory and is the most common type in enterprise environments to provide secure intranet access.
-
Stand-alone CA This type of CA does not use Active Directory and is therefore less manageable, but can be used for either Internet or intranet scenarios.
You can also create a chain of CAs within your enterprise if it is large or geographically dispersed. These chains start with root CAs whose trust is assumed rather than guaranteed by some other CA, followed by subordinate CAs whose trust is derived from the root. For root CAs, you can use either Certificate Services itself or some other public CA, which gives you considerable flexibility in how you establish your CA chain of trust.
Requesting and Installing a Server Certificate
For this example, I’ll assume that you’ve first installed Certificate Services on a domain controller in your network as an Enterprise Root CA using Add Or Remove Programs in Control Panel. (This installation is performed with a wizard, so I won’t go into it here; a full treatment of Certificate Services is beyond the scope of this book.)
To request and install a server certificate on your IIS machine, use the Web Server Certificate Wizard (Figure 10-21). You’ll request a certificate for the Default Web Site and later enable SSL on this site for secure communications. To do this, follow these steps:
-
Open IIS Manager, right-click the Default Web Site, and select Properties.
-
Switch to the Directory Security tab and click the Server Certificate button to start the wizard.
-
Click Next.
Figure 10-21: Using the Web Server Certificate Wizard -
Select the option Create a New Certificate and click Next.
-
Select the option Send the Request Immediately to an Online Certificate Authority and click Next.
-
Type a descriptive name for the new certificate, specify a bit length, and click Next. The bit length is 1024 bits by default. Increasing this makes communications more secure but also slower (SSL usually adds a performance hit of more than a factor of 10 when enabled on web servers).
-
Type the name of your organization (company) and organizational unit (division or department), and click Next.
-
Type the common name of your site, which is typically the NetBIOS name of the IIS machine in an intranet environment or the DNS name for an Internet site, and click Next.
-
Select your country code and type the full name of your state and city, and click Next.
-
Specify the TCP port for secure SSL communications, which by default is port 443, and click Next.
-
Select the CA from your enterprise network from which you want to request and obtain your server certificate (the DNS name of the domain controller on which Certificate Services is installed) and click Next.
-
Review the information you’ve entered on the next screen, and if you’re satisfied click Next to request and install the certificate.
-
Click Finish to complete the wizard.
You can now view your newly installed server certificate by clicking the View Certificate button on the Directory Security tab of the Default Web Site properties sheet (Figure 10-22).
Enabling SSL
Now that you’ve installed a server certificate from your CA on your Default Web Site, you can enable SSL on the server:
-
Return to the Directory Security tab of the Default Web Site properties sheet, and click the Edit button under Secure Communications.
-
In the Secure Communications box, select Require Secure Channel (SSL) (Figure 10-23).
-
Click OK and then Apply.
SSL is now enabled on the server! By default, you’ve configured SSL to use whatever encryption level the client supports and to ignore any client certificates installed on the client. Client certificates verify the identity of the client to the server, a process that is usually unnecessary in commercial transactions with public e-commerce sites (they don’t care who you are, they just want your money), but they can ensure the identity of the client to the server in corporate intranet scenarios.
Testing the Server Certificate
Now you can test this new server certificate on the machine on which you’ve installed it:
-
Open Internet Explorer on your IIS machine and try to open the URL https:// localhost to securely access the Default Web Site. The “s” in “https://” tells the server that the client wants to use SSL for the connection.
-
Next, a Security Alert box appears indicating a problem with the certificate on the server. The reason for this is that the client (Internet Explorer) does not recognize the server certificate as issued by a trusted CA. For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root certificate in its own certificate store. To do this, click View Certificate and then Install to start the Certificate Import Wizard (Figure 10-24).
-
Click Next twice and then Finish, accepting the defaults and closing the wizard. You should see a message that the import was successful. Click OK twice to return to the Security Alert box.
Figure 10-24: Using the Certificate Import Wizard -
Click Yes to accept the certificate, and you should be able to access your Default Web Site using SSL.
Managing the Server Certificate
You can perform various administrative housekeeping tasks for your server certificate by returning to the Directory Security tab and clicking the Server Certificate button again. This restarts the Web Server Certificate Wizard, and, when you click Next, you are presented with a number of management options, including
-
Renewing the current certificate, which you should do before it expires to ensure your clients can continue to communicate securely with your site
-
Removing or replacing the current certificate if it expires or you no longer need SSL for your site
-
Exporting the current certificate if you want to make a copy you can store elsewhere
-
Copying or moving the current certificate if you want to move it to a different site or server
|
|