?
Solved

SSL on IIS

Posted on 2006-05-20
10
Medium Priority
?
951 Views
Last Modified: 2010-05-18
Can someone give me an overview of SSL on IIS?  I have a pretty good understanding of how to do everything below on Linux, but I need to do this on IIS for reasons I won't bore you with.  I need the following:

1. I want to force SSL on users.  No HTTP access -- HTTPS only for this site.  Other sites on that server should be unaffected.

2. Install a certificate.  I've done this a few times on IIS, but I need to understand the details here -- can I issue a certificate myself?  Can Windows act as a certificate server?  If so, what are the issues here?  Will users get that silly warning saying the issuing body isn't trusted?  If I have to cough up the cash for a commercial certificate, I will.

3. Force timeouts.  If users are inactive for a certain period of time, I want them forced back to the login page.  

4. Enforce logins. I want any attempt to circumvent the login page by going directly to a link to land the user at the login page.

I'm pretty sure IIS can do all this, but I don't know how.  I've made this worth 500 points because there are several questions on this topic.

Thanks in advance,
Reg Natarajan


0
Comment
Question by:regnatarajan
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 672 total points
ID: 16727087
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 664 total points
ID: 16730061
1 _Individual items have a security tab as well. Right click the page inside
the IIS snap in & go to properties. Click the security tab, edit the cert,
and check off the only allow ssl connections. The individual settings
override the global ones.

If IIS 6.0 you can do this from a command line this forces SSL only
"cscript.exe adsutil.vbs set /w3svc/<site identifier>/AccessSSL TRUE"

where <site identifier> is the unique number that identifies the site.


2 - If you use self Signed certs then when user hit the page they will be prompted about ti since its self signed and not a "trusted certificate vendor " .. As for installation of it See this link http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part2.html

3 & 4  You will have to do this in your code for the pages as far as i know and is dependant on the language ie PHP , ASP. Check for cookies etc.

0
 

Author Comment

by:regnatarajan
ID: 16730145
On the "force SSL" tick, I knew you could force it, but I need to know how to redirect users who go to http://mysite.com to https://mysite.com.

I'm really hoping someone can respond on points 3 and 4 above.  Those are the most important to me.

Reg Natarajan



0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 3

Expert Comment

by:rickyclourenco
ID: 16734696
Go to your naming authoritative host, and see if you can configure a Re-Direction of a page...ie:  Network Solutions
0
 
LVL 5

Assisted Solution

by:kevinf40
kevinf40 earned 664 total points
ID: 16735522
Hi Reg

The link below is to some blog entries detailing some ASP code snippets that should nicely provide the redirect functionality you are looking for.

http://support.jodohost.com/showthread.php?t=6678

Connection timeouts may help - these are not strictly session related but time out users after a period of inactivity:

Setting Connection Timeouts
To further conserve your server's resources, set the Connection Timeout property on the Web Site property sheet shown in Figure 2. The default is 900 seconds, which is pretty generous. Unless you're hosting an application or web site that allows for users to sit idle before continuing, there is no need to keep the connection. I recommend reducing this amount by at least half. By doing so, your server trashes any connections that have been idle longer than the specified period of time, giving back resources for connections that are active.

Further information on session handling can be found here:
http://www.ftponline.com/vsm/2005_01/magazine/columns/databasedesign/

Basically it looks like you'll need to make changes to the machine.conf file which I believe defaults to being installed here:  C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG

Obviously the path will vary depending on you .NET framework location.

This file is very powerful and contains a lot of IIS related settings.

A lot of session management can also be done from within the code so if sessions are important it may well be worth you having a chat with your developers.

To enforce authentication you may want to look at CustomAuth some good details about installing and configuring this dll can be found here:
http://blogs.msdn.com/david.wang/archive/2006/01/24/HOWTO_Install_and_Use_CustomAuth_on_IIS_6.aspx

Sorry if I have created more questions than I have answered, but these aren't the easiest things to get right!

hope I've been of some help!

cheers

Kevin

0
 
LVL 32

Expert Comment

by:r-k
ID: 16740453
You may find this link useful for redirection:

 http://support.microsoft.com/kb/839357/en-us
0
 

Author Comment

by:regnatarajan
ID: 16742988
Thanks, everyone, for the great input.  It seems to me that questions 1 and 2 are totally answered, now, and I'll certainly accept those parts of the answer.  Can anyone give me clarity on points 3 and 4?  I'll repeat/reword them here to save you from scrolling up:
   
3. Force session timeouts.  If users are inactive for a certain period of time, I want them forced back to the login page if they try to do anything new.  Obviously, I don't expect their browser to be redirected to the login page unless the user tries to go somewhere new within the secure site.  
 
4. Enforce logins. I want any attempt to circumvent the login page by going directly to a link to land the user at the login page.
 
The thing that surprises me is that the behavior above is totally standard for secure sites.  Every transactional website I can think of that deals with money enforces the behavior above.  I really expected someone to tell me "click there and it will work".
 
Thanks,
Reg Natarajan
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16743367
Hi Reg

If it is when they are inactive for a period rather than a session time limit regardless of activity then I think the session timeout settings in my previous comment should do what you require. Simply right click on the web sites folder in IIS manage and change the connection timeout setting.

Also have you looked at CustonAuth to see if that would meet your need to enforce authentication?

cheers

Kevin

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question