|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Newbie Security QuestionI want to lockdown three or four pages of an otherwise publically access web
app. You have to login but providing you have the right username and password you have access. These 3 or 4 pages should only be accessed from certain webservers and of course the hosting server. I was thinking of using client certificates but I don't want to make the whole site require them, just the one directory. Can I make a virtual directory or a subdomain require a client certificate for access. Preferably a virtual directory. Also do I have to buy a certificate from a CA. I read somewhere you can create your own internal ones as these machines are all hosted by us. Regards. You can change the SSL policy to use SSL and require a client certificate at
the virtual directory level, so that should work. Regarding certs, basically you can use whatever you can get both the servers and clients to trust, so if you can put the appropriate root CAs in each of the machine's trusted roots store, you'll be ok. The commercial CA is the easiest way to do this and is the only really viable approach for use with the general public, but you have more flexibility than that. Depending on your needs, you might also just use Windows authentication on those directories. Client certificates can be a bit of a pain from a deployment standpoint. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Chris" <nospam@nospam.com> wrote in message news:%23susH4XFHHA.2464@TK2MSFTNGP06.phx.gbl... >I want to lockdown three or four pages of an otherwise publically access >web app. You have to login but providing you have the right username and >password you have access. These 3 or 4 pages should only be accessed from >certain webservers and of course the hosting server. I was thinking of >using client certificates but I don't want to make the whole site require >them, just the one directory. Can I make a virtual directory or a subdomain >require a client certificate for access. Preferably a virtual directory. >Also do I have to buy a certificate from a CA. I read somewhere you can >create your own internal ones as these machines are all hosted by us. >Regards. > Do you konw of any good books or websites that will talk you through the
basics of securing the Virtual Directory as I am new to this. I want to go down the virtual directory as we host servers on different sites so Windows authentication mighten work, not with our network, I don't think. Particularly what are the general steps to changing SSL policy to a virtual directory level. Regards. Show quoteHide quote "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message news:uKjVojYFHHA.1280@TK2MSFTNGP04.phx.gbl... > You can change the SSL policy to use SSL and require a client certificate > at the virtual directory level, so that should work. Regarding certs, > basically you can use whatever you can get both the servers and clients to > trust, so if you can put the appropriate root CAs in each of the machine's > trusted roots store, you'll be ok. The commercial CA is the easiest way > to do this and is the only really viable approach for use with the general > public, but you have more flexibility than that. > > Depending on your needs, you might also just use Windows authentication on > those directories. Client certificates can be a bit of a pain from a > deployment standpoint. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services > Programming" > http://www.directoryprogramming.net > -- > "Chris" <nospam@nospam.com> wrote in message > news:%23susH4XFHHA.2464@TK2MSFTNGP06.phx.gbl... >>I want to lockdown three or four pages of an otherwise publically access >>web app. You have to login but providing you have the right username and >>password you have access. These 3 or 4 pages should only be accessed from >>certain webservers and of course the hosting server. I was thinking of >>using client certificates but I don't want to make the whole site require >>them, just the one directory. Can I make a virtual directory or a >>subdomain require a client certificate for access. Preferably a virtual >>directory. Also do I have to buy a certificate from a CA. I read somewhere >>you can create your own internal ones as these machines are all hosted by >>us. Regards. >> > > I actually don't know of any good books for doing IIS admin as I've never
read one, but it is pretty easy to figure this stuff out. First, you need to configure the website itself with your SSL cert. That is done by bringing up the properties for the web site and click the server certificate button. Follow the wizard to request a new cert or use one you already installed. Then, once you create a virtual directory under the website, you can go into the directory security tab and click "edit" under the secure communications section and then change the options to "require secure channel" and then change the radio button to "require client certificate". HTH, Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Chris" <nospam@nospam.com> wrote in message news:%23kP8YQZFHHA.928@TK2MSFTNGP05.phx.gbl... > Do you konw of any good books or websites that will talk you through the > basics of securing the Virtual Directory as I am new to this. I want to go > down the virtual directory as we host servers on different sites so > Windows authentication mighten work, not with our network, I don't think. > Particularly what are the general steps to changing SSL policy to a > virtual directory level. Regards. > > "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message > news:uKjVojYFHHA.1280@TK2MSFTNGP04.phx.gbl... >> You can change the SSL policy to use SSL and require a client certificate >> at the virtual directory level, so that should work. Regarding certs, >> basically you can use whatever you can get both the servers and clients >> to trust, so if you can put the appropriate root CAs in each of the >> machine's trusted roots store, you'll be ok. The commercial CA is the >> easiest way to do this and is the only really viable approach for use >> with the general public, but you have more flexibility than that. >> >> Depending on your needs, you might also just use Windows authentication >> on those directories. Client certificates can be a bit of a pain from a >> deployment standpoint. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Chris" <nospam@nospam.com> wrote in message >> news:%23susH4XFHHA.2464@TK2MSFTNGP06.phx.gbl... >>>I want to lockdown three or four pages of an otherwise publically access >>>web app. You have to login but providing you have the right username and >>>password you have access. These 3 or 4 pages should only be accessed from >>>certain webservers and of course the hosting server. I was thinking of >>>using client certificates but I don't want to make the whole site require >>>them, just the one directory. Can I make a virtual directory or a >>>subdomain require a client certificate for access. Preferably a virtual >>>directory. Also do I have to buy a certificate from a CA. I read >>>somewhere you can create your own internal ones as these machines are all >>>hosted by us. Regards. >>> >> >> > > Thanks very much I'll have a go. Regards.
Show quoteHide quote "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message news:uuQWm$ZFHHA.1804@TK2MSFTNGP02.phx.gbl... >I actually don't know of any good books for doing IIS admin as I've never >read one, but it is pretty easy to figure this stuff out. > > First, you need to configure the website itself with your SSL cert. That > is done by bringing up the properties for the web site and click the > server certificate button. Follow the wizard to request a new cert or use > one you already installed. > > Then, once you create a virtual directory under the website, you can go > into the directory security tab and click "edit" under the secure > communications section and then change the options to "require secure > channel" and then change the radio button to "require client certificate". > > HTH, > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services > Programming" > http://www.directoryprogramming.net > -- > "Chris" <nospam@nospam.com> wrote in message > news:%23kP8YQZFHHA.928@TK2MSFTNGP05.phx.gbl... >> Do you konw of any good books or websites that will talk you through the >> basics of securing the Virtual Directory as I am new to this. I want to >> go down the virtual directory as we host servers on different sites so >> Windows authentication mighten work, not with our network, I don't think. >> Particularly what are the general steps to changing SSL policy to a >> virtual directory level. Regards. >> >> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message >> news:uKjVojYFHHA.1280@TK2MSFTNGP04.phx.gbl... >>> You can change the SSL policy to use SSL and require a client >>> certificate at the virtual directory level, so that should work. >>> Regarding certs, basically you can use whatever you can get both the >>> servers and clients to trust, so if you can put the appropriate root CAs >>> in each of the machine's trusted roots store, you'll be ok. The >>> commercial CA is the easiest way to do this and is the only really >>> viable approach for use with the general public, but you have more >>> flexibility than that. >>> >>> Depending on your needs, you might also just use Windows authentication >>> on those directories. Client certificates can be a bit of a pain from a >>> deployment standpoint. >>> >>> Joe K. >>> >>> -- >>> Joe Kaplan-MS MVP Directory Services Programming >>> Co-author of "The .NET Developer's Guide to Directory Services >>> Programming" >>> http://www.directoryprogramming.net >>> -- >>> "Chris" <nospam@nospam.com> wrote in message >>> news:%23susH4XFHHA.2464@TK2MSFTNGP06.phx.gbl... >>>>I want to lockdown three or four pages of an otherwise publically access >>>>web app. You have to login but providing you have the right username and >>>>password you have access. These 3 or 4 pages should only be accessed >>>>from certain webservers and of course the hosting server. I was thinking >>>>of using client certificates but I don't want to make the whole site >>>>require them, just the one directory. Can I make a virtual directory or >>>>a subdomain require a client certificate for access. Preferably a >>>>virtual directory. Also do I have to buy a certificate from a CA. I read >>>>somewhere you can create your own internal ones as these machines are >>>>all hosted by us. Regards. >>>> >>> >>> >> >> > > There is a tool called selfssl that comes with the IIS 6 Resource Kit (free
download) that is handy for creating a quicky self-signed SSL cert and installing it in the default web server all in one go. You might want to experiment with that to get started if you don't have another easy source of certs. You'll quickly discover that self signed certs a pain to manage when you need to get other machines to trust them. :) Still, it is handy. To create a quicky self-signed client cert, you'd need to make makecert.exe and it is a little more effort. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Chris" <nospam@nospam.com> wrote in message news:Ot4QIYaFHHA.3976@TK2MSFTNGP05.phx.gbl... > Thanks very much I'll have a go. Regards. > > "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message > news:uuQWm$ZFHHA.1804@TK2MSFTNGP02.phx.gbl... >>I actually don't know of any good books for doing IIS admin as I've never >>read one, but it is pretty easy to figure this stuff out. >> >> First, you need to configure the website itself with your SSL cert. That >> is done by bringing up the properties for the web site and click the >> server certificate button. Follow the wizard to request a new cert or >> use one you already installed. >> >> Then, once you create a virtual directory under the website, you can go >> into the directory security tab and click "edit" under the secure >> communications section and then change the options to "require secure >> channel" and then change the radio button to "require client >> certificate". >> >> HTH, >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Chris" <nospam@nospam.com> wrote in message >> news:%23kP8YQZFHHA.928@TK2MSFTNGP05.phx.gbl... >>> Do you konw of any good books or websites that will talk you through the >>> basics of securing the Virtual Directory as I am new to this. I want to >>> go down the virtual directory as we host servers on different sites so >>> Windows authentication mighten work, not with our network, I don't >>> think. Particularly what are the general steps to changing SSL policy to >>> a virtual directory level. Regards. >>> >>> "Joe Kaplan" <joseph.e.kap***@removethis.accenture.com> wrote in message >>> news:uKjVojYFHHA.1280@TK2MSFTNGP04.phx.gbl... >>>> You can change the SSL policy to use SSL and require a client >>>> certificate at the virtual directory level, so that should work. >>>> Regarding certs, basically you can use whatever you can get both the >>>> servers and clients to trust, so if you can put the appropriate root >>>> CAs in each of the machine's trusted roots store, you'll be ok. The >>>> commercial CA is the easiest way to do this and is the only really >>>> viable approach for use with the general public, but you have more >>>> flexibility than that. >>>> >>>> Depending on your needs, you might also just use Windows authentication >>>> on those directories. Client certificates can be a bit of a pain from >>>> a deployment standpoint. >>>> >>>> Joe K. >>>> >>>> -- >>>> Joe Kaplan-MS MVP Directory Services Programming >>>> Co-author of "The .NET Developer's Guide to Directory Services >>>> Programming" >>>> http://www.directoryprogramming.net >>>> -- >>>> "Chris" <nospam@nospam.com> wrote in message >>>> news:%23susH4XFHHA.2464@TK2MSFTNGP06.phx.gbl... >>>>>I want to lockdown three or four pages of an otherwise publically >>>>>access web app. You have to login but providing you have the right >>>>>username and password you have access. These 3 or 4 pages should only >>>>>be accessed from certain webservers and of course the hosting server. I >>>>>was thinking of using client certificates but I don't want to make the >>>>>whole site require them, just the one directory. Can I make a virtual >>>>>directory or a subdomain require a client certificate for access. >>>>>Preferably a virtual directory. Also do I have to buy a certificate >>>>>from a CA. I read somewhere you can create your own internal ones as >>>>>these machines are all hosted by us. Regards. >>>>> >>>> >>>> >>> >>> >> >> > > 
Other interesting topics
Encrypt data
Is there a limit to number record returned from AD serach to a dat Encrypt Email with Certificate Natively in .Net Code signing - recommended cerificate provider? what NewsGroup tools do you use? Help in signing SoapEnvelope using wse 3.0 permission problems Authorization Manager Problem Using Caspol to change Security Policy - Code Groups # different on different PC ??? Create X509 certificate in memory *without* makecert |
|||||||||||||||||||||||
