By default, web browsing is being performed by use of the HTTP protocol, i.e. a connection between the client computer (using a web browser) to the web server (using IIS, Apache or any other sort of web server program). HTTP relies on TCP (Transmition Control Protocol) and uses port 80 on the listening server.
The main security issue with HTTP is the fact that all the traffic between the client and the server is done as clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.
To secure the transmission of information between your web server running IIS 6.0 on Windows Server 2003 and your browser clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).
Note: The procedure for applying SSL on IIS 5.0 (on Windows 2000) and IIS 5.1 (on Windows XP) is quite the same.
In order to successfully use SSL you need to obtain a Server Certificate. In this article I will only focus on obtaining a certificate from a local CA or importing an already existing certificate. However, it is possible (and in many cases preferred) that you obtain the Server Certificate from a trusted 3rd party CA such as Verisign or Thawte.
Configure SSL
To configure SSL for your website on IIS 6.0 (running on Windows Server 2003) complete the following steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites.
- In the console tree, right-click Default Web Site, and then click Properties.
- In the Default Web Site Properties dialog box, click Directory Security.
- On the Directory Security tab, click Server Certificate.
- In the Welcome to the Web Server Certificate Wizard, on the Welcome page, click Next.
On the Server Certificate page, verify that Create a new certificate is selected, and then click Next.
Note: You can also import an already existing certificate. Do do so follow these steps:
- Click Import a certificate from a .pfx file. Click Next.
- In the Import Certificate path enter the path to where you've stored your existing certificate. Click Next.
- Enter the password configured for the .pfx file. Click Next.
- Go to step #13.
8. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA.
9.On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.
Note: You will need a different certificate for each website you'll run on this server, so make sure you provide the exact server URL.
Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.
10.On the Organization Information page, in the Organization box, type your own company name. In the Organizational Unit box, type a descriptive name and then click Next.
11.On the Your Sites Common Name page, in the Common name box, type yourservername.domainname.com (see important note in step #9) and then click Next.
12.On the Geographical Information page, in the State/province box, type the required info and then click Next.
13.On the SSL Port page, in the SSL port this web site should use box, verify that 443 is specified, and then click Next.
Note: SSL can only listen once on port 443, requiring you to either select a different SSL port for each SSL protected website you're about to host on the server, or, even better, use a different static IP for each site, and share port 443 amongst them.
14.On the Choose a Certification Authority page, in the Certification Authorities box, verify that your online CA is selected, and then click Next.
15.On the Certificate Request Submission page, click Next to submit the request, and then click Finish to complete the wizard.
No comments:
Post a Comment