Help Please with a step by step keystroke by keystroke(or Mouse) illustration on how to setup a standalone root CA for SSL server authentication with SQL 2000 on sever 2000 pro for .NET applications.

From: . (nospam_at_nottoday.com)
Date: 06/10/03 

Date: Tue, 10 Jun 2003 02:01:56 -0400

Tuesday June 10, 2003, and I need help.
I've been seriously beating my head on this for weeks and I could really use
another brain wrapped around this default simple typical use of SSL to
secure the Network layer between an IIS webserver and a windows SQL 2000
server. See the Relevant details below.
I've read and understood all the available documentation regarding form the
web, I don't mean to be harsh but the writers of most of the contect on this
topic just don't sit down with their own white papers and apply what their
writing to real machines before the whitepaper go's golden out on the web
posing as complete helpful information.
After several surveys I have found the following machine configuration to be
the most typical for the average developer wanting to push .Net SQL driven
applications to fortune 100 companies.
This is NOT how the companies would deploy SSL, most companies wouldn't
deploy SSL for SQL transactions unless they have CISSP on staff, and if they
did it would involve a domain server, VeriSign or Thawati paid certificate
Most developers would however use the below configurations on their Home
systems, do it at home before they risked embarrassment by pushing a
pathetically documented procedure into their company production windows
2000 server pro boxes and business processes.

So, please no ambiguous instructions like install the certificate while
logged into the server account installing into the magic xyz trusted Key
repository.
Please Be specific or dont reply. Assume the intended reader has a near
perfect and complete understanding of how networking works, security, and
applications programming.

I think the best help will be if someone would assume a few
details(documented below) and give a near keystroke by keystroke rendition
of how to set it up and achieve the stated objectives(documented below)

I sincerely thank you in advance, as will my neglected wife, dog and 3
children, and 2 goldfish.

If your instructions result in achieving the objectives on my systems Ill
probably send you a considerable cash US donation. :)

If you see a problem in something below or have a question about something
below that you think may be part of the problem I will be paying close
attention to this thread daily.

Network
Imagine, we have two machines wired into a linksys BEFSR41 router/firewall.
Their is NO public access through the router at this time to either machine
behind the linksys router. The routers host name and domain name are blank
as their is no public access and their not needed by the ISP.
No machine in the network is a domain server active directory services are
not installed anywhere
Their is no DHCP, DNS or WINS server on the LAN side of the Linksys router.
Both machines are fully patched from MS windows updates.
SQL SP3a has been applied to BOTH machines.

Machine 1
services
   Machine 1 has a typical SQL server 2000 installed on windows 2000 server
pro.
   The accounts properly logon and start their services when (server and or
client network utility force protocol encryption is NOT checked)
   The normal login account to machine 1 is the administrator account.
   IIS is not installed
   File sharing Print sharing are installed but un-checked/disabled in the
LAN connection.
    tcp/ip and client for MS networks are enabled.
   The CLR .NET framework 1.1 rev is installed.
Accounts
   The account name for the SQL Server is unprivilidged1 password fubar1
   The account name for the SQL Monitor is unprivlidged2 password fubar2
ACL's
   The everyone account is still set to the default(This can always be
broken later by using more reasonable security ACL settings.:_:P- )
Local security policies
   Additional Restrictions for Anon connections = None, Rely on default
permissions
   Lan manager authentication = Send LM & NTLM responses.
Network & FQDN
   When Machine 1's system properties network ID is reviewed it shows the
FULL computer name as dev1.private
   The machine is not joined to a domain it set to the default workgroup.
   The primary DNS suffix is: private
   IP address is a 172 subnet static address and DNS setting point to a
commercial internet DNS service.
SQL
   The Enabled protocols in the SQL server and client network utilities are
TCP/IP and Named Pipes.

Machine 2
Services
   IIS for and from the server 2000 pro default configuration (patched of
course.)
   Only IIS web server is installed.
ACL's
   The Everyone account has been set to no access basically, Application
specific ACL's exist to make thinks work right securely
Local security policies
   Additional Restrictions for Anon connections = None, Rely on default
permissions
   Lan manager authentication = Send LM & NTLM responses.
Network & FQDN
   When Machine 2's system properties network ID is reviewed it shows the
FULL computer name as dev2.private
   The machine is not joined to a domain it set to the default workgroup.
   The primary DNS suffix is: private
   IP address is a 172 subnet static address and DNS settings point to a
commercial internet DNS service.
SQL
   Only the SQL enterprise manager from server 2000 is installed. The
Enterprise manager has been patched to SP3a
   The Enabled protocols in the SQL client network utility are TCP/IP and
Named Pipes
   Not SQL server is Not installed to this box only the client.
Root standalone CA
  web interface installed
  cafixweb has been run to fix the downloading activeX control bug.
Requesting certs always works after the cafixweb.exe is run once after
installation.
  Please give a complete account of the standalone CA installation as this
may be partly where the problem is.
Misc programs to worry about after below objectives are complete
   Microsoft Visual Studio .NET developer environment.

Proof of concept Objectives.
1) when (server and or client network utility force protocol encryption is
checked), the server can be stopped and started without error.
2) The Enterprise SQL manager can connect to the SQL server on the same
machine its running on.
3) The Enterprise SQL manager on Machine 2 can connect to the SQL server on
machine 1(and because (server and or client network utility force protocol
encryption is checked) we assume the connection will be SSL secure.
4) After Objectives 1, 2 and 3 are satisfied, that code example that is
downloadable that makes a programmatic SSL connection from client to server
will also work.
5) Netmon shows SSL traffic.
6) Checking the IE browser certificates shows expected certificates in
proper places for the login accounts used to check them.
7) Using the MMC snap in for certificates shows expected certificates in
proper places for the login accounts used to check them.
to do later.
8) develop .net ASP services, web pages and expose limited port access to
machine #2
     Machine 2 will talk through a packet filter router firewall to Machine
#1 to access the SQL server.
    No one external will ever access the SQL server.
After objectives 1 through 7 are complete, the machines(both) security will
be tightened up tighter than a ducks ***, which we all know is water tight.
:)
Hids, Nids, Decoy server, Manhunt, Cisco works 2k, pix firewalls, snort,
local software firewalls, harsh policy settings and ACL's, good responce
policies, an incident response team, more use of unprivileged accts,
removing filters, honeyd sample apps, anon access, more 2nd gen honeypots
and medium interaction managed production honeypots

And Thanks in advance!!!
Signed
Semi-Anonymous ISSP