Windows Knowledge Base

[Server Tutor] Windows 2003 IIS 6.0 Security - Part Three

Secure Communications with Certificates

Secure Communications, provides a way to ensure that data transmission sessions between a host and a client are made under proof that the server is who it says it is. This is done with certificates. If your server doesn't have a certificate yet, you'll need to create a request for one. Click the Server Certificate button to begin a wizard that will help you do this, The Edit button will enable you to view any existing certificate entries.

The Certificate will have information on the version, serial number, signature algorithm (e.g., sha1RSA), Issuer,Valid From,Valid To, Subject, and Public key information.The certificate has keys that are used to authenticate the server and the client for SSL encryption.The Web server will create a Session or Encryption key according to the security certificate.This key is used to encrypt all the communication with the server and the client.The strength of the encryption is measured by the length of the encryption key (this is in bits).The encryption strength can be either 40 bits or 128 bits.The choice of the strength of the encryption depends on the sensitivity of the data. (High importance will require 128 bits ¨C as apposed to 40).

1. Once the wizard starts, click Next to move on from the welcome screen.
2. You'll be prompted to create a new certificate, import one from a number of backup formats, or migrate a certificate from another computer onto the current one. For the purposes of this example, let's create a new certificate, so select that option and click Next.

Picture-1 Choose a Method
3. On the Delayed or Immediate Request screen, choose whether to prepare the certificate signing request and save it for later transmission and purchase, or to prepare the request and immediately transmit it to a certification authority. In this example, we'll save the request and send it later. Click Next.

4. The Name and Security Settings page appears. Type a friendly, easy-to-identify name for the certificate. Also, select the bit length of the certificate. A shorter bit length results in faster transmission and decryption but has weaker security overall; a longer bit length is significantly more robust but involves a lot of transmission and computing time during decryption. You also can choose to select a cryptographic service provider (CSP) for this certificate. Click Next to continue.

Picture-2 Name and Security Settings
5. On the Organization Information page, enter the name of your organization and the division under which this server resides. It's best to get this information from your main corporate office, as identifying information corroborating what you enter here will most likely be required of you by the certifying authority. Click Next once you've entered the necessary information.

Picture-3 Organization Information

6. The Your Site's Common Name page is next. Here, enter the valid DNS domain name for your site (such as order.enablehosting.com) assuming it is visible to the Internet. If it's an internal site, simply enter the NetBIOS name of the computer (for example, LEAVETRACKER), but it's really better to hedge your bets and use a full DNS name even for an internal site. Click Next to continue.

Picture-4 Site's Common Name

7. Enter your country of residence, state or province, and city or locality. Do not use abbreviations. Click Next.

Picture-5 country of residence

9. On the Certificate Request File Name page, specify a name for the certificate signing request and a location for the file. You can click the Browse button to create a new directory or to pick one graphically. Click Next.
10. The Request File Summary page appears. All your choices through the wizard are summarized here. Click Back to correct any information that's wrong, or click Next to create the signing request.
11. Click Finish on the acknowledgment screen.
This is how the request is like:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDYDCCAskCAQAwgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdOZXdZb3JrMRAw
DgYDVQQHEwdOZXdZb3JrMRYwFAYDVQQKEw13aW5kb3dzcGVvcGxlMRYwFAYDVQQL
Ew13aW5kb3dzcGVvcGxlMSEwHwYDVQQDExhzcnYxMDEud2luZG93c3Blb3BsZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4yUA9FwdBVf/1TTjQ8U1dw
jmcG9mvH/1Huv+ChLe9+EXCy87QgBOYYU5sqgTt9TwYqcTfCZZPXqcfUsmC3KNRp
49BGADgG4xSRp/9coBaznNhtAbD74ahLD9VAYx794eX7FcafDix6WdeHHWV+xHOM
OXSWSScOw3VrXM6jBYChAgMBAAGgggGZMBoGCisGAQQBgjcNAgMxDBYKNS4yLjM3
OTAuMjB7BgorBgEEAYI3AgEOMW0wazAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcN
AQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIH
MAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3DQIC
MYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEA
bgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkA
ZABlAHIDgYkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ADANBgkqhkiG9w0BAQUFAAOBgQDEz3F0JUICp21wj6XxaR73yZ5OmsKXNGoeVWXH
h//5k1gtk8pfDaelys00P8ICv2ofy3KCXqH5j/Tb0Mz1Iv4kuc3REA35C1yAB6Be
fdXPXNNElM9KyKzlJqPgzMSpgIgXbCTvTsnb2ogjxcRqht6JSrVktRoCJ5Ss41Hm
UvWSQw==
-----END NEW CERTIFICATE REQUEST-----

receive a certificate after your submission and identification information has been verified.

When you receive the certificate, run the wizard again. It will detect an existing request and will ask you to match up your CSR with the actual certificate you were provided by the authority. You'll then have the certificate installed, and communications over SSL will be enabled.
Once your certificate is installed, you can adjust the behavior of IIS when it comes to client sessions over SSL. Click the Edit button under the Secure Communications section of the Directory Security tab. The Secure Communications dialog box appears,

Picture-6 Secure Communications
First you can choose whether to require secure communications for a particular site. If you do require it, you can further secure communications by mandating 128-bit encryption of data exchanges between the client and the server. All data sent is encrypted using the web server's certificate. Under the client certificates section, you can choose whether to ignore certificates that clients present (to identify themselves to a server), to accept them without a mandate, or to require them. Depending on how security-conscious your organization is, I recommend either accepting them or requiring them. See

You also can elect to enable client certificate mapping. In this scenario, you can map a client computer's certificates to actual Windows accounts at that point, you can have more granular control over access to resources. Consider it almost a "grouping" of computers with their respective users, all configured to share one certificate. Click the Edit button to define these mappings. This will open the Account Mappings screen, shown in  Picture-9

Picture-7 Account Mappings
You can define two types of mappings a one-to-one mapping, which maps one certificate to one Windows account, or a many-to-one mapping, in which you can match individual criteria about a client certificate to map to a group of Windows accounts. You could, for example, identify the division field of client certificates and log users in to a specific account because of their individual divisions. Each tab of the Account Mappings screen handles one of these types of mappings.

To create one-to-one mappings, IIS needs a text (ASCII) copy of the user's client certificate. IIS compares this copy of the certificate it has on file with the copy presented by the client during the initial HTTP request. The two must be absolutely identical they cannot differ in any way for the mapping to be successful. Certificates that are reissued to the client, even if they contain entirely the same information, must be remapped with IIS.
Click the Add button to create a new mapping. You'll need to locate a copy of the client certificate, and select a Windows user account to which to map the certificate. You can then edit an existing mapping by clicking the Edit button, or delete a mapping by clicking Remove.

A many-to-one mapping is a little different. As I explained previously, many-to-one mapping employs sets of rules that match certain criteria within a client certificate, such as issuer or subject. With a many-to-one mapping, IIS doesn't actually compare any certificates. You don't even have to have a certificate on file for each client, which means exporting certificates is hassle-free. Instead, IIS simply accepts any certificate meeting a rule. New or reissued client certificates, as long as they still contain enough information to match an existing map rule, will still work. Of course, this method is a bit less secure because the extra step of certificate verification which is present in one-to-one mapping isn't built into the many-to-one mapping process.
Click the Add button to create a new many-to-one mapping. You can adjust the priority of existing rules using the Move Up and Move Down boxes. IIS will process rules in the order listed until a match is found; at that point, it will stop processing. If two rules conflict, the rule with the higher priority will be processed and the other will simply be ignored. Click OK when you're finished defining mappings and their priority.