By default, web browsing is being performed by use of the HTTP protocol, i.e. a connection between the client computer (using a web browser) to the web server (using IIS, Apache or any other sort of web server program). HTTP relies on TCP (Transmition Control Protocol) and uses port 80 on the listening server.
The main security issue with HTTP is the fact that all the traffic between the client and the server is done as clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.
To secure the transmission of information between your web server running IIS 6.0 on Windows Server 2003 and your browser clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).
Note: The procedure for applying SSL on IIS 5.0 (on Windows 2000) and IIS 5.1 (on Windows XP) is quite the same.
In order to successfully use SSL you need to obtain a Server Certificate. In this article I will only focus on obtaining a certificate from a local CA or importing an already existing certificate. However, it is possible (and in many cases preferred) that you obtain the Server Certificate from a trusted 3rd party CA such as Verisign or Thawte.
Configure SSL
To configure SSL for your website on IIS 6.0 (running on Windows Server 2003) complete the following steps:
Note: Although the screenshots are made with IIS 6.0 on Windows Server 2003, the same procedure applies for IIS 5.0 and IIS 5.1.
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites.
- In the console tree, right-click Default Web Site, and then click Properties.
Note: It's possible that the site you've created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.
- In the Default Web Site Properties dialog box, click Directory Security.
- On the Directory Security tab, click Server Certificate.
- In the Welcome to the Web Server Certificate Wizard, on the Welcome page, click Next.
- On the Server Certificate page, verify that Create a new certificate is selected, and then click Next.
Note: You can also import an already existing certificate. Do do so follow these steps:
- Click Import a certificate from a .pfx file. Click Next.
- In the Import Certificate path enter the path to where you've stored your existing certificate. Click Next.
- Enter the password configured for the .pfx file. Click Next.
- Go to step #13.
- On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA.
- On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.
Note: You will need a different certificate for each website you'll run on this server, so make sure you provide the exact server URL.
Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.
- On the Organization Information page, in the Organization box, type your own company name. In the Organizational Unit box, type a descriptive name and then click Next.
- On the Your Sites Common Name page, in the Common name box, type yourservername.domainname.com (see important note in step #9) and then click Next.
- On the Geographical Information page, in the State/province box, type the required info and then click Next.
- On the SSL Port page, in the SSL port this web site should use box, verify that 443 is specified, and then click Next.
Note: SSL can only listen once on port 443, requiring you to either select a different SSL port for each SSL protected website you're about to host on the server, or, even better, use a different static IP for each site, and share port 443 amongst them.
- On the Choose a Certification Authority page, in the Certification Authorities box, verify that your online CA is selected, and then click Next.
- On the Certificate Request Submission page, click Next to submit the request, and then click Finish to complete the wizard.
To use the certificate to secure the web site that is using SSL
- In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
Note: It's possible that the site you've created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.
Note: It's also possible that you might not wish to protect the entire website, but merely one or two pages within the large website. In fact, this scenario is highly probable for most site operators that would only like to protect a couple or important pages, such as an online store or registration form. In that case you do NOT need to SSL-protect the entire site, so do NOT right-click the entire site. Right-click only the directory or pages within the site.
- In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.
Note: Using a requirement of 128-bit encryption should pose no problem to current operation systems and web browsers, but keep in mind that older OSs might not be able to connect to your site.
- On the Directory Security tab, in the Authentication and access control area, click Edit.
- In the Authentication Methods dialog box, click Basic authentication (password is sent in clear text), and then click Yes to acknowledge the warning.
- Clear the Integrated Windows Authentication and Enable Anonymous Access check boxes, and then click OK.
Note: You are NOT required to disable anonymous access, this is just a security measure. It might be likely that your site is supposed to allow anonymous access, while still using SSL as the encryption method. This is true for websites that offer online shopping carts where surfers are supposed to enter their credit card numbers. You might not want to restrict these online shops only for people that hold a username and password. In that case keep the Enable Anonymous Access check boxes selected.
- In the Default Web site Properties dialog box, click OK.
- In all Inheritance Overrides dialog boxes, click OK.
- Close Internet Information Services (IIS) Manager.
Verify that SSL is working
To test your new settings connect your open a browser and type your server's FQDN (or NetBIOS name, if on the LAN) in the address bar (for example: http://server200 for your Intranet, or http://www.kuku.co.il for the Internet).
Note: Make sure you've followed the important note in step #9 above.
Since you still used HTTP (plain text http, using TCP port 80) you'll get the following error message:
Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the OWA website.
You'll receive a Security Alert window. Click Ok.
If configured correctly, you should be able to connect to your now SSL-protected website.
To verify that you're using SSL try to find a small yellow lock icon on the browser lower right corner . Double click the lock icon.
A Certificate window will open. Review the information that is entered into the certificate and click Ok.
Note: Make sure you renew your certificate a few weeks before it expires in order to prevent mishaps like this one: Expired SSL Website Certificate.
No comments:
Post a Comment