Saturday, 8 October 2011

SSL and IIS




An Overview on Secure Sockets Layer (SSL)


With IIS, you can further secure websites by using the Secure Sockets Layer (SSL) encryption technology. SSL was developed by Netscape Communications, and enables secure communication over the Internet. SSL operates at the transport layer of Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, and uses public key cryptography to establish a secure SSL session between a Web server and client. A few features provided by SSL include authentication, message integrity, and data confidentiality through encryption.


To utilize SSL in IIS, the Web server has to obtain a digital certificate from a certification authority (CA), and install the digital certificate as well. A digital certificate usually contains a version number that identifies the X.509 standard version used for the certificate; the serial number of the certificate; the CA that issued the certificate; the signature algorithm identifier which defines the CA’s algorithm used for the digital signature of the certificate; the validity period of the certificate; the entity to which the certificate was issued; the intended uses of the certificate; the public key, and the location of the certificate revocation list (CRL).


To make certificates useful or trusted, you have to obtain a certificate from a trusted entity, called a certification authority (CA). A certification authority (CA) is the trusted entity that issues and manages the use of certificates. A CA can be an external third party CA such as VeriSign, GeoTrust, Thawte, IT Institute and GlobalSign; or you can deploy your own internal CAs. You can also use a combination of internal and external CAs. Manually requesting certificates from a CA occurs when you explicitly request the CA to issue a certificate. Certificates are automatically requested when an application requests and obtains a certificate as a background process, with no user intervention.


For configuring internal CAs, Microsoft provides Certificate Services. You can install Certificate Services from Control Panel, through Add Or Remove Programs. You can use Certificate Services to deploy either Enterprise CAs, or Stand-alone CAs. Enterprise CAs are integrated in Active Directory, and publish certificates and CRLs to Active Directory. Enterprise CAs can only issue certificates to users and computers within Active Directory. Enterprise CAs utilizes the information in the Active Directory database to automatically approve or deny certificate enrollment requests. Stand-alone CAs are not dependent on Active Directory to issue certificates.


When a client Web browser connects to a Web server that is configured for SSL, a SSL handshake is initiated with the Web server. The SSL handshake process occurs between a client and Web server to negotiate the secret key encryption algorithm which the client and Web server will utilize to encrypt the data which is transmitted in the SSL session.


The process that occurs to establish a secure SSL session is described below:
The client initiates the establishment of the SSL session by requesting the public key from the Web server.
The server responds by sending the client the public key.
The client proceeds to send the Web server a session key. The key is encrypted with the public key.
The server next decrypts the session key it receives by using its private key.
The session key is used to encrypt and decrypt data passed between the client and server.
The session key is discarded when the SSL session either times out or is terminated.
The Advantages of using SSL in IIS


A few benefits of using SSL in IIS are summarized below:
For Web traffic, SSL provides the following:
Server authentication: This enables a user to verify the identity of the server.
Client authentication: This enables a server to verify the identity of the client.
Secure encrypted connections: Data confidentiality is ensured because communications between the server and client are encrypted and decrypted.
For FTP sites, you can use SSL encryption on WebDAV supported directories to secure FTP communication.
For Network News Transfer Protocol (NNTP), an IIS component, you can increase security by using SSL at the server and client to encrypt communication.
For the Simple Mail Transfer Protocol (SMTP) service, another IIS component, you can increase security by using Transport Layer Security (TLS) for incoming mail connections. Transport Layer Security (TLS) is an Internet standard version of Secure Sockets Layer (SSL), and is very similar to Secure Sockets Layer version 3 (SSLv3). SSLv3 uses the Message Authenticate Code (MAC) algorithm, while TLS utilizes a hash for MessageAuthentication Code, also known as HMAC. Because the differences between SSL and TLC are so few, the protocols are typically called SSL/TLS. 

How to request and install server certificates on IIS Web servers


Before you can request and install a server certificate on an IIS machine, you need to install Certificate Services on a domain controller as the Enterprise Root CA.


How to install Windows Server 2003 Certificate Services (Enterprise root CA):
Place the Windows 2003 CD-ROM into the CD-ROM drive.
Select Install optional Windows components.
This action launches the Windows Components Wizard.
On the Wizard Components page, select Certificate Services.
Click Yes in the message dialog box that warns that you would not be able to modify the name of the server.
In the CA Type page, select Enterprise Root CA. Click Next.
In the CA Identifying Information page, set the common name for the CA. This name will be used in Active Directory, and in the enterprise.
In the Validity Period boxes, enter the lifetime for the CA. Click Next.
On the Certificate Database Settings page, verify that the locations specified for the database file and log files are correct.
At this stage IIS services are stopped, and the certificate service is installed and the CA database started. IIS is restarted after this.
Click OK when a message dialog box appears, warning that ASP must be enabled for Web enrollment.
Click Finish.


How to request and install a server certificate on IIS Web servers:

The Web Server Certificate Wizard is used to request and install a server certificate on IIS Web servers. To launch the Web Server Certificate Wizard,
Click Start, click Administrative Tools, and click Internet Information Services (IIS) Manager to open the IIS Manager console.
In the console tree, expand the Web Sites node.
Right-click the Web site that you want to set up a certificate for, and click Properties.
When the Properties dialog box for the Web site opens, click the Directory Security tab.
Click the Server Certificate button.


To request and install a server certificate,
Open the IIS Manager.
Open the Properties dialog box for the Web site for which you want to configure a server certificate.
Click the Directory Security tab, and then click the Server Certificate button.
This action launches the Web Server Certificate Wizard.
Click Next on the Welcome To The Web Server Certificate Wizard page.
On the Server Certificate page, click the Create A New Certificate option, and click Next.
On the following page, select one of the following options:
If you want to immediately request and obtain a certificate from a CA, click the Send The Request Immediately To An Online Certification Authority option.
If you want to send the certificate request to an offline CA, click te Prepare The Request Now But Send It Later option.


Click Next.
On the Name And Security Settings page, enter the following information:
A descriptive name for the new server certificate.
Specify a new Bit Length setting, or accept the default value of 1024 bits for this setting.


Click Next.
On the Organization Information page, enter the name of the Organization and the name of the Organizational Unit in the available text boxes. Click Next.
On the Your Site’s Common Name page,
For an intranet, enter the NetBIOS name of the IIS machine.
For a internet site, enter the fully qualified DNS name for the site.


Click Next.
On the Geographical Information page, provide the following information:
Country
State
City


Click Next.
Specify the TCP port for secure SSL communications. By default, this is port 443. Click Next.
Enter a filename for the certificate request if you have previously selected the Prepare The Request Now, But Send It Later option; or select the CA from the Certification Authorities list if you have previously selected the Send The Request Immediately To An Online Certification Authority option. Click Next.
On the Summary page, verify that you have selected the proper configuration settings.
Click Next to request and install the new server certificate.


How to submit a certificate request to a CA:


If you have selected the Prepare The Request Now But Send It Later option on the configuration pages of the Web Server Certificate Wizard, you have to submit the certificate request to a CA. If you are running Windows Server 2003, you can use Web-based enrollment to submit the certificate request to a CA.
Connect to the CA server using Internet Explorer 5.0 or above, and the Administrator account.
You can use the following URL: http:// /certsrv.
Enter the appropriate user name and password if you are not automatically authenticated.
The Web based interface for manually requesting certificates opens, and the Welcome page is displayed.
Click the Request A Certificate option.
On the following page, click Advanced Certificate Request.
Select Submit A Certificate Request By Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File.
Proceed to open the certificate request file which you saved when using the Web Server Certificate Wizard.
Copy the file’s contents to the Saved Request box in Internet Explorer.
Click the Certificate Template list. Click Web Server. Click Submit.
Click DER Encoded. Click Download Certificate.
Save the file on the local computer.
Proceed to Launch the Web Server Certificate Wizard.
Click Next on the Welcome To The Web Server Certificate Wizard page.
On the Pending Certificate Request page select the Process The Pending Request And Install The Certificate option, and then click Next.
When the Process A Pending Request page opens, choose the certificate file. Click Next.
Specify the TCP port for secure SSL communications. By default, this is port 443. Click Next
Click Next. Click Finish.
How to enable SSL security in IIS
Open the IIS Manager.
In the console tree, right-click the Default Web Site node and select Properties from the shortcut menu.
When the Default Web Site Properties dialog box opens, click the Web Site tab.
Verify that the SSL port is defined as the default SSL port – 443.
Click the Directory Security tab.
In the Secure Communications area of the dialog box, click the Edit button.
In the Secure Communications dialog box, click the Require Secure Channel (SSL) checkbox.
Click OK.
How to require 128-bit SSL encryption
Open the IIS Manager.
Right-click the Default Web Site node and select Properties from the shortcut menu.
Click the Directory Security tab.
In the Secure Communications area of the dialog box, click the Edit button.
Click the Require Secure Channel (SSL) checkbox.
Click the Require 128-Bit Encryption checkbox.
Click OK.
How to view installed server certificates
Open the IIS Manager.
Right-click the Default Web Site node in the console tree, and click Properties on the shortcut menu.
When the Web Site Properties dialog box opens, click the Directory Security tab.
Click the View Certificate button which is located under Secure Communications.
The Certificate properties dialog box opens next. The dialog box has the following three tabs:
General tab: This tab displays the following information:
The purpose of the certificate.
Issued To and Issued By information.
The certificate validity period.
Details tab: This tab contains comprehensive certificate information.
Certification Path tab: This tab contains a path illustration which displays the root CA.
How to manage server certificates in IIS


The management tasks which you generally perform for server certificates are listed below:
Renew an existing server certificate, prior to it expiring.
Copy/move an existing certificate to a different IIS Web server or site.
Export the existing certificate to store it at a different location.
Replace the current certificate if it has expired.
Remove the existing certificate if the site no longer requires secure SSL communications.


The above management tasks can be performed by re-launching the Web Server Certificate Wizard. After clicking Next on the Welcome To The Web Server Certificate Wizard page, you can choose between performing various server certificate management tasks.


To renew an existing server certificate,

Open the IIS Manager.
In the console tree, expand the Web Sites node.
Right-click the Web site that you want to renew the certificate for, and click Properties.
When the Properties dialog box for the Web site opens, click the Directory Security tab.
Click the Server Certificate button.
Click Next on the Welcome To The Web Server Certificate Wizard page.
On the Modify The Current Certificate Assignment page, click Renew The Current Certificate, and then click Next.
Select of the following options:
If you want to request and obtain a certificate from a CA, click the Send The Request Immediately To An Online Certification Authority option.
If you want to send the certificate request to an offline CA, click the Prepare The Request Now But Send It Later option.
Enter a filename for the certificate request if you previously selected the Prepare The Request Now, But Send It Later option; or select the CA from the Certification Authorities list if you previously selected the Send The Request Immediately To An Online Certification Authority option. Click Next.
Click Next. Click Finish.


To assign a current valid server certificate,

Open the IIS Manager.
In the console tree, expand the Web Sites node.
Right-click the Web site that you want to assign the certificate to, and click Properties.
When the Properties dialog box for the Web site opens, click the Directory Security tab.
Click the Server Certificate button.
Click Next on the Welcome To The Web Server Certificate Wizard page.
On the Server Certificate page, click Assign An Existing Certificate. Click Next.
Specify the TCP port for secure SSL communications. By default, thi is port 443. Click Next.
Click Next. Click Finish.
Configuring IIS to Enable Client Certificates


While Basic authentication, Integrated Windows authentication, Digest authentication, or Passport authentication are typically utilized to authenticate users attempting to access a Web site, SSL can also be used to authenticate clients. Through using SSL, you can require client certificates for verifying the identity of clients.


The easiest manner in which to authenticate users with certificates is to allow access to the site to those users that have a valid certificate to access the particular site. This solution however offers very little security. In IIS, the Web server automatically trusts certificates which were issued by any trusted root CA. This unfortunately includes public CAs which could have issued a certificate to a user which should be prevented from accessing the site.


To enhance security for a site when client certificates are used, you can implement either of the following solutions:
You can use client certificate mappings to restrict access to the site to only those users whom have certain certificates.
One-to-one mapping: This configuration maps individual certificates to individual user accounts. A single certificate is associated with a user account. A user is authenticated when they provide a valid user name and password.
Many-to-one mapping: This configuration requires certificates to match a certain list of rules. Client certificates that match the specific criteria are accepted.
You can set up a certificate trust list (CTL) to limit the number of root CAs which are able to issue certificates to users. A CTL is a list of CAs for a specific Web site which are considered trusted. CTLs cannot be configured for FTP sites.


How to install a client certificate for a Windows client:
Open Internet Explorer.
Enter https://dc/certsrv/.
When the Microsoft Certificate Services Welcome page opens, click Request A Certificate. Click Next.
On the Choose Request Type page, click User Certificate. Click Next.
Click Submit on the User Certificate Identifying Information page.
The Certificate Issued page is displayed once the client certificate is issued.
To install the certificate on the browser, click Install This Certificate.


How to view existing client certificate information:
On the client, open Internet Explorer.
Select Internet Options from the Tools menu.
In the Internet Options dialog box, click the Content tab.
Click the Certificates button in the Certificates area of the tab.
The Certificates dialog box opens.
In the Intended Purpose drop-down list, select Client Authentication to display the currently installed client certificates.
Choose the certificate, and click the View button.


How to enable client certificates in IIS:
Open the IIS Manager.
In the console tree, right-click the Default Web Site node and select Properties from the shortcut menu.
When the Web Site Properties dialog box opens, click the Web Site tab.
Verify that the port 443 is defined as the SSL port.
Click the Directory Security tab.
In the Secure Communications area of the dialog box, click the Edit button.
In the Secure Communications dialog box, click the Require Secure Channel (SSL) checkbox.
Under Client Certificates, click the Require Client Certificates option to enable client certificates.
Click OK.


How to create one-to-one client certificate mappings:


Before you can create a one-to-one client certificate mapping, you have to export the user’s certificate. To export the user’s certificate,
On the client, open Internet Explorer.
Select Internet Options from the Tools menu.
In the Internet Options dialog box, click the Content tab.
Click the Certificates button to open the Certificates dialog box.
In the Intended Purpose drop-down list, select Client Authentication.
Select the certificate from the list of currently installed client certificates.
Click the Export button.
When the Certificate Export Wizard starts, click Next.
On the Export Private Key page, select the No, Do Not Export the Private Key option. Click Next.
On the Export File Format page, select the Base-64 Encoded X.509 option. Click Next.
Enter a file name for the exported certificate. Click Next.
Click Finish.


To create one-to-one client certificate mappings,
Open the IIS Manager.
In the console tree, expand the Web Sites node.
Right-click the Web Site, and click Properties on the shortcut menu.
When the Properties dialog box opens, click the Directory Security tab.
In the Secure Communications area of the dialog box, click the Edit button.
In the Secure Communications dialog box, select the Enable Client Certificate Mapping checkbox.
Click Edit to open the Account Mappings dialog box.
On the 1-1 tab, click Add.
In the Open dialog box, choose the file which you previously exported and click Open.
On the Map To Account dialog box, enter a name in the Map Name box.
Click the Browse button to search the domain for the particular user account.
Select the user, click Add, and click OK
Enter the password for the user account.
Click OK several times to close all open dialog boxes.


How to create many-to-one client certificate mappings:
Open IIS Manager.
Open the Properties dialog box for the Web site.
Click the Directory Security tab.
In the Secure Communications area of the tab, click Edit.
Select the Enable Client Certificate Mapping checkbox.
Click the Edit button.
Click the Many-1 tab.
Click Add to open the General page.
Enter a name for the rule in the Description box, and then click Next.
On the Rules page, click New.
When the Edit Rule Element dialog box opens, from the Certificate Field list:
Select Issuer, to filter based on the issuing CA; or
Select Subject, to filter on the entity to which the certificate was issued.
Specify the appropriate criteria for the rule in the Criteria box. Click OK.
After adding all the necessary rules, Click Next
On the Mapping page, select one of the following:
To not accept access that match the criteria, click the Refuse Access option.
To map matching certificates to a user account, click the Accept This Certificate For Logon Authentication option.
If you previously selected Accept This Certificate For Logon Authentication, enter information in the Account box and Password box.
Click Finish.


How to configure a certificate trust list (CTL)
Open the IIS Manager.
Open the Properties dialog box for the particular Web site.
Click the Directory Security tab, and click Edit under Secure Communications.
Select the Enable Certificate Trust List checkbox.
Click New to start the Certificate Trust List Wizard. Click Next
On the Certificates In The CTL page, click the Add From Store button.
The Select Certificate dialog box opens and displays all the available certificates.
Choose the certificates you want to use, and click OK.
Click Next on the Certificates In The CTL page.
On the Name And Description page, enter a name and description for the CTL. Click Next.
Click Finish.

    0 comments:

    Post a Comment