Re: IIS "secure communications"and "certificate" sections disabled.

From: Nicole Calinoiu (calinoiu)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 09:51:16 -0500

"GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
news:9DDDB619-71FB-4793-A582-8EF48217255B@microsoft.com...
> Thanks! I got it. ( thought the link for list of authorities to issue
> certificate doesn't really work for the last step. )
>
> Anyway, about the web service authentication, here're the 3 ways I can
> think
> of:
> 1. Use IIS IP restriction. Only allows certain IP to access service.

There are a few problems with this one:

a. The message won't be encrypted, so any sensitive data will potentially
be exposed to eavesdroppers.
b. IP addresses can be spoofed.
c. Clients with dynamic IP addresses won't be able to connect (unless you
remap to their new addresses, which adds a potential attack point).

> 2. Use Certificate. This involves a fee to get the certificate for server
> and client.

Not necessarily. For the server, a commercial certificate would probably be
a good idea, but you could use a self-issued certificate if you're dead set
against paying for one. Of course, convincing your client to trust your
self-issued certificate would be a whole other story...

It isn't necessary to use client certificates for authentication just
because you're using a server certificate for other purposes (e.g.: SSL).
If you do want to use client certificates for authentication, you could
issue them yourself. After all, you're the only one who needs to trust
them.

As a bit of a side note, regardless of what other mechanisms you may select
for encryption and/or authentication, applying a server certificate and
enforcing the use of HTTPS when calling your web service over the internet
would be good way to enhance the security of the system reasonably cheaply
(both in terms of time and money).

> 3. Use WSE2.0, web service enhancement toolkit. This can only be used when
> server and client are both using .net framework 1.1, both have to install
> the
> toolkit.

Not true. WSE renders web service messages that are supposed to be
compliant with the WS-* standards. Depending on the tools available to your
clients, they may find supporting these standards to be somewhat more or
less difficult than it is via WSE. You should probably discuss this with
them.

> Am I understanding it right? What're the pros and cons of the approaches?
> And... are there any other ways?

Yes. There are quite a few possible combinations of authentication and
encryption schemes. Your best bet may be to take a look at
http://msdn.microsoft.com/webservices/building/interop/ in order to target
your research at the scenario you need to support.

> I am now writing my service in .net, and my intended client is using java
> on
> unix.
>
> Thanks a lot!
>
>
> "GoCMS" wrote:
>
>> Hi, there:
>> This might be a newbie question. I want my web service to require a
>> certificate to access, so I go to IIS my virtual directory property and
>> Directory Security page. I found the "secure communication" secion
>> including
>> "Server certificate" button are both greyed out. I wonder why that is.
>> I'm an
>> admin user of the computer. Did I miss some OS component or something?
>>
>>

Quantcast