• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 957
  • Last Modified:

SSL on IIS

Can someone give me an overview of SSL on IIS?  I have a pretty good understanding of how to do everything below on Linux, but I need to do this on IIS for reasons I won't bore you with.  I need the following:

1. I want to force SSL on users.  No HTTP access -- HTTPS only for this site.  Other sites on that server should be unaffected.

2. Install a certificate.  I've done this a few times on IIS, but I need to understand the details here -- can I issue a certificate myself?  Can Windows act as a certificate server?  If so, what are the issues here?  Will users get that silly warning saying the issuing body isn't trusted?  If I have to cough up the cash for a commercial certificate, I will.

3. Force timeouts.  If users are inactive for a certain period of time, I want them forced back to the login page.  

4. Enforce logins. I want any attempt to circumvent the login page by going directly to a link to land the user at the login page.

I'm pretty sure IIS can do all this, but I don't know how.  I've made this worth 500 points because there are several questions on this topic.

Thanks in advance,
Reg Natarajan


0
regnatarajan
Asked:
regnatarajan
  • 2
  • 2
  • 2
  • +2
3 Solutions
 
r-kCommented:
0
 
prueconsultingCommented:
1 _Individual items have a security tab as well. Right click the page inside
the IIS snap in & go to properties. Click the security tab, edit the cert,
and check off the only allow ssl connections. The individual settings
override the global ones.

If IIS 6.0 you can do this from a command line this forces SSL only
"cscript.exe adsutil.vbs set /w3svc/<site identifier>/AccessSSL TRUE"

where <site identifier> is the unique number that identifies the site.


2 - If you use self Signed certs then when user hit the page they will be prompted about ti since its self signed and not a "trusted certificate vendor " .. As for installation of it See this link http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part2.html

3 & 4  You will have to do this in your code for the pages as far as i know and is dependant on the language ie PHP , ASP. Check for cookies etc.

0
 
regnatarajanAuthor Commented:
On the "force SSL" tick, I knew you could force it, but I need to know how to redirect users who go to http://mysite.com to https://mysite.com.

I'm really hoping someone can respond on points 3 and 4 above.  Those are the most important to me.

Reg Natarajan



0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
rickyclourencoCommented:
Go to your naming authoritative host, and see if you can configure a Re-Direction of a page...ie:  Network Solutions
0
 
kevinf40Commented:
Hi Reg

The link below is to some blog entries detailing some ASP code snippets that should nicely provide the redirect functionality you are looking for.

http://support.jodohost.com/showthread.php?t=6678

Connection timeouts may help - these are not strictly session related but time out users after a period of inactivity:

Setting Connection Timeouts
To further conserve your server's resources, set the Connection Timeout property on the Web Site property sheet shown in Figure 2. The default is 900 seconds, which is pretty generous. Unless you're hosting an application or web site that allows for users to sit idle before continuing, there is no need to keep the connection. I recommend reducing this amount by at least half. By doing so, your server trashes any connections that have been idle longer than the specified period of time, giving back resources for connections that are active.

Further information on session handling can be found here:
http://www.ftponline.com/vsm/2005_01/magazine/columns/databasedesign/

Basically it looks like you'll need to make changes to the machine.conf file which I believe defaults to being installed here:  C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG

Obviously the path will vary depending on you .NET framework location.

This file is very powerful and contains a lot of IIS related settings.

A lot of session management can also be done from within the code so if sessions are important it may well be worth you having a chat with your developers.

To enforce authentication you may want to look at CustomAuth some good details about installing and configuring this dll can be found here:
http://blogs.msdn.com/david.wang/archive/2006/01/24/HOWTO_Install_and_Use_CustomAuth_on_IIS_6.aspx

Sorry if I have created more questions than I have answered, but these aren't the easiest things to get right!

hope I've been of some help!

cheers

Kevin

0
 
r-kCommented:
You may find this link useful for redirection:

 http://support.microsoft.com/kb/839357/en-us
0
 
regnatarajanAuthor Commented:
Thanks, everyone, for the great input.  It seems to me that questions 1 and 2 are totally answered, now, and I'll certainly accept those parts of the answer.  Can anyone give me clarity on points 3 and 4?  I'll repeat/reword them here to save you from scrolling up:
   
3. Force session timeouts.  If users are inactive for a certain period of time, I want them forced back to the login page if they try to do anything new.  Obviously, I don't expect their browser to be redirected to the login page unless the user tries to go somewhere new within the secure site.  
 
4. Enforce logins. I want any attempt to circumvent the login page by going directly to a link to land the user at the login page.
 
The thing that surprises me is that the behavior above is totally standard for secure sites.  Every transactional website I can think of that deals with money enforces the behavior above.  I really expected someone to tell me "click there and it will work".
 
Thanks,
Reg Natarajan
0
 
kevinf40Commented:
Hi Reg

If it is when they are inactive for a period rather than a session time limit regardless of activity then I think the session timeout settings in my previous comment should do what you require. Simply right click on the web sites folder in IIS manage and change the connection timeout setting.

Also have you looked at CustonAuth to see if that would meet your need to enforce authentication?

cheers

Kevin

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now