Re: Newbie Security Question

There is a tool called selfssl that comes with the IIS 6 Resource Kit (free
download) that is handy for creating a quicky self-signed SSL cert and
installing it in the default web server all in one go. You might want to
experiment with that to get started if you don't have another easy source of
certs. You'll quickly discover that self signed certs a pain to manage when
you need to get other machines to trust them. :) Still, it is handy.

To create a quicky self-signed client cert, you'd need to make makecert.exe
and it is a little more effort.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Chris" <nospam@xxxxxxxxxx> wrote in message
news:Ot4QIYaFHHA.3976@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much I'll have a go. Regards.

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uuQWm$ZFHHA.1804@xxxxxxxxxxxxxxxxxxxxxxx
I actually don't know of any good books for doing IIS admin as I've never
read one, but it is pretty easy to figure this stuff out.

First, you need to configure the website itself with your SSL cert. That
is done by bringing up the properties for the web site and click the
server certificate button. Follow the wizard to request a new cert or
use one you already installed.

Then, once you create a virtual directory under the website, you can go
into the directory security tab and click "edit" under the secure
communications section and then change the options to "require secure
channel" and then change the radio button to "require client
certificate".

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Chris" <nospam@xxxxxxxxxx> wrote in message
news:%23kP8YQZFHHA.928@xxxxxxxxxxxxxxxxxxxxxxx
Do you konw of any good books or websites that will talk you through the
basics of securing the Virtual Directory as I am new to this. I want to
go down the virtual directory as we host servers on different sites so
Windows authentication mighten work, not with our network, I don't
think. Particularly what are the general steps to changing SSL policy to
a virtual directory level. Regards.

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uKjVojYFHHA.1280@xxxxxxxxxxxxxxxxxxxxxxx
You can change the SSL policy to use SSL and require a client
certificate at the virtual directory level, so that should work.
Regarding certs, basically you can use whatever you can get both the
servers and clients to trust, so if you can put the appropriate root
CAs in each of the machine's trusted roots store, you'll be ok. The
commercial CA is the easiest way to do this and is the only really
viable approach for use with the general public, but you have more
flexibility than that.

Depending on your needs, you might also just use Windows authentication
on those directories. Client certificates can be a bit of a pain from
a deployment standpoint.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Chris" <nospam@xxxxxxxxxx> wrote in message
news:%23susH4XFHHA.2464@xxxxxxxxxxxxxxxxxxxxxxx
I want to lockdown three or four pages of an otherwise publically
access web app. You have to login but providing you have the right
username and password you have access. These 3 or 4 pages should only
be accessed from certain webservers and of course the hosting server. I
was thinking of using client certificates but I don't want to make the
whole site require them, just the one directory. Can I make a virtual
directory or a subdomain require a client certificate for access.
Preferably a virtual directory. Also do I have to buy a certificate
from a CA. I read somewhere you can create your own internal ones as
these machines are all hosted by us. Regards.











.