Assuming that your Web server is a member of a domain and that all users have accounts in AD, users who access your Web site need only the Access this computer from the network privilege. Rather than grant the privilege to individual user accounts, you can create a group, grant the group this privilege, and make all Web site users members of the group. For Basic authentication to work correctly for user or group accounts with this privilege, you need to set the LogonMethod property in the IIS metabase. The default property setting directs IIS to attempt an interactive logon; the new setting directs IIS to attempt a network logon. Simply create a file called setauth.vbs that contains the code that Listing 1 shows (replacing webserver with the name of your Web server), then type
cscript setauth.vbs
at a command prompt.
If you use Basic authentication to authenticate your users, you should install a server certificate to enable SSL. Without SSL to encrypt communications between browsers and your Web site, users' credentials are vulnerable to packet sniffers and monitoring software. If you use client certificates to authenticate users, you must obtain a server certificate because it's used during the authentication process. You can obtain a server certificate from a Certification Authority (CA) such as VeriSign or Thawte or from your own CA, if you have one in your organization. For information about using Microsoft Certificate Services to set up a CA, see "Securing Win2K with Certificate Services," September 2001, InstantDoc ID 22113.
To obtain a server certificate, open the Microsoft Management Console (MMC) Internet Information Services snap-in. Right-click the Web site for which you want to request a certificate, and select Properties. In the Properties dialog box, click the Directory Security tab, click Server Certificate to start the IIS Certificate Wizard, and click Next on the opening page of the wizard. Ensure that the Create a new certificate option is selected, and click Next. Decide whether to prepare the certificate request now and send it later or send the request immediately to a CA on your network, then click Next. In the wizard's Name and Security Settings dialog box, which Figure 3 shows, enter a name for the certificate and the size of the key to use to encrypt communications. When you select a key size, remember that the longer the key, the more secure communications will be but the longer each encryption and decryption will take. Click Next.
At the next wizard screen, enter the name of the IIS server. If the server is on the Internet, you should enter the Fully Qualified Domain Name (FQDN). If the server is an intranet server, you can enter its NetBIOS name. When users use SSL to connect to your site, their browsers will check the name of the server in the URL that the user typed against the name of the server in the certificate. If the names don't match, the browsers will typically display a warning.
If you chose to send the certificate request immediately, you'll see a list of CAs on your network. Select the most appropriate one. If the request is successful, the wizard automatically installs the certificate. If you chose to create a certificate request to submit at a later date, the wizard prompts you for the name of the file to which it should save the request. After you submit your request and receive your certificate, you can use the IIS Certificate Wizard to install it.
Installing a certificate on a Web site doesn't automatically make the site secure or protect user credentials exchanged using Basic authentication. When you use Basic authentication, all communication between the user's browser and the Web site should take place over an SSL connection. Many Web developers use HTTP over Secure Sockets Layer (HTTPS) for connections over which the user will be authenticated or will access restricted content, but the developers make the mistake of reverting to plain HTTP for subsequent connections. This practice is dangerous because the browser continues to send the user's credentials with every page request the user makes until the session ends or until the Web site requires the user to authenticate with different credentials. A quick step that administrators can take to ensure that SSL is always employed on their Web sites is to select the Require secure channel (SSL) check box in the Secure Communications dialog box, as Figure 4 shows. However, if you select this option, users will be able to connect to your Web site only if they type the https:// prefix in the URL.
Using Client Certificate Mapping
Rather than requiring users to enter usernames and passwords to authenticate each time they access restricted content, you can use client certificates to supply authentication information. Many users might already have certificates for securing email, and you can often use these certificates to authenticate users to Web servers. A CA in your organization needn't have issued these certificates; you can map certificates that other CAs have issued to user accounts.
To enable IIS to accept client certificates, open a Web site's Properties dialog box and click the Directory Security tab. In the Secure communications section, click Edit. In the Secure Communications dialog box, select Require secure channel (SSL) as mentioned earlier, Require client certificates, Enable client certificate mapping, and Enable certificate trust list. You can also opt to require 128-bit SSL encryption. Use the New and Edit buttons under the Current CTL drop-down list (CTL stands for certificate trust list) to add a copy of the certificate for each CA that issues certificates to your Web site users. Because you must map certificates to user accounts before those certificates can be used for authentication, trusting a CA doesn't mean that every user with a certificate from that CA can log on to your system.
Register
jeaster July 13, 2004 (Article Rating: