3. Auditing Web Services
Windows Server 2012 auditing can be
applied to web and FTP sites to document attempts (successful and
unsuccessful) to log on, gain unauthorized access to service accounts,
modify or delete files, and execute restricted commands. These events
can be viewed through Event Viewer. It’s also important to monitor IIS
logs in conjunction with audited events to determine how, when, and if
external users are trying to gain unauthorized access.
4. Using SSL Certificates
Secure Sockets Layer (SSL) encryption
preserves user and content integrity and confidentiality so that
communications between a client and the web server, containing
sensitive data such as passwords or credit card information, are
protected. SSL is based on the public key infrastructure (PKI, X.509)
security standards that protect communication by encrypting data before
being transmitted.
Earlier versions of IIS supported SSL, and
IIS 8 is no different. IIS 8, however, introduces significant
improvements to the use of SSL for securing websites, especially when
it comes to scalability.
The use of certificates with IIS can serve three primary purposes, although they are typically used to encrypt connections:
• SSL server authentication—This
allows a client to validate a server’s identity. SSL-enabled client
software can use a PKI to check whether a server’s certificate is valid
and has been issued by a trusted certificate authority (CA).
• Client authentication—This
allows a server to validate a client’s identity. IIS can validate that
a client’s certificate is valid as well as check whether the
certificate is from a trusted CA.
• Encrypting SSL connections—The
most common reason for deploying certificates is for SSL based
encrypting of all traffic for a given website or virtual directory.
This provides a high degree of confidentiality and security.
From an IIS perspective, SSL can be applied
to an entire website, directories, or specific files within the
website. SSL configuration can be done through IIS Manager.
The high-level steps for using certificates
and SSL consist of the following: The first step is to obtain a
certificate. The second step is to create an HTTPS binding for a
specific site that needs to be encrypted. The final step is to
configure SSL settings for a site, application, or physical directory.
To use SSL on a website, a certificate must
first be requested and then installed. The request can be created to
obtain a certificate either from an external, trusted CA or from an
internal PKI. The types of server requests available in Internet
Information Services include the following:
• Create certificate request—This
option is typically used for creating a certificate request, which will
be submitted to a trusted CA. The certificate’s distinguished name
properties, cryptographic service provider, and bit-length information
are entered into a file and then submitted to a public CA for approval.
Tip
When creating the certificate request to a
public CA, it is recommended to use 2048 (the default) or higher as the
bit length. Keep in mind that higher bit lengths enforce stronger
security; however, a greater length can decrease performance.
• Create domain certificate request—A
domain certificate request is used when providing a request to an
internal certificate authority. Typically, the internal certificate
authority would be an enterprise certificate authority associated with
the company’s Active Directory domain. This approach reduces the cost
of purchasing third-party certificates and also simplifies the
certificate deployment.
• Create Self-Signed Certificate Request—The
final option available when creating a certificate request is to use a
self-signed certificate. This method is usually only used for
maintaining certificates for a testing environment because the
certificates are not from a trusted CA.
This example illustrates the procedures to
create a domain-based certificate request. To complete this task, this
example requires an internal CA running within your domain.
To create a domain-based certificate request, follow these steps:
1. Launch IIS Manager.
2. In the Connections pane, highlight the IIS server that will request an Internet Server Certificate.
3. In the Feature view, double-click the Server Certificates element.
4. In the Actions pane, select Create Domain Certificate Request.
5. On the Distinguished Name Properties page, specify the required information for the certificate, as displayed in Figure 2.
The common name is typically the fully qualified domain name (FQDN) of
the URL users will use to connect to the website (for example, www.companyabc.com). Click Next to continue.
Figure 2. Creating a domain-based certificate request.
6. Because this is a
domain-based certificate request, the next page presented is the Online
Certificate Authority. Specify the online certificate authority that
will accept the request by selecting the CA from a list. In addition, a
friendly name is also required. Click Finish to finalize the request.
When this process has been completed, either
the administrator of the CA must approve the request or it can be
automatically approved based on the auto-enrollment feature of the
domain-based CA. The CA in this example automatically fulfilled the
request; therefore, the certificate resides on the Server Certificates
page and can be viewed by selecting it and clicking View Task in the
Actions pane. If auto-enrollment is not available, the certificate is
installed after an administrator approves the request on the CA.
Once the certificate is
installed, the next step in the process is to bind the Internet server
certificate for the desired website and enable SSL. To do this, follow
these steps:
1. Open IIS Manager and select the website for which the certificate will be used.
2. In the Actions Pane, select Bindings to launch the Site Bindings configuration page.
3. In the Site Bindings dialog box, click Add.
4. In the Add Site
Binding dialog box, select the HTTPS option from the Type drop-down
menu, assign an IP address, and verify the port is 443, as shown in Figure 3.
Figure 3. Adding SSL site binding.
5.
Select a certificate, such as the one that was created in the preceding
section. You can view the certificate selected by clicking the View
button. Click OK to return to the Site Bindings dialog box.
6. Click Close in the Site Bindings dialog box to finalize the binding process.
The final process when configuring a site to
utilize SSL is to configure the SSL settings for the site, application,
physical directory, or virtual directory. To configure SSL settings on
the default website, follow these steps:
1. In IIS Manager, navigate to the Default Web Site.
2. Double-Click the SSL Settings icon in Features view.
3. On the SSL Settings
page, enable the Require SSL option. Alternatively, select the Require
128-bit SSL option to force 128-bit encryption.
4. The final setting
is to configure whether to accept, ignore, or require client
certificates. Choose the appropriate Client Certificates option, and
click Apply in the Actions pane to save the changes, as shown in Figure 4.
Figure 4. Configuring properties on the SSL Settings feature page.
