IIS supports two types of client-certificate mapping. The legacy mode introduced in Internet Information Server (IIS) 4.0 lets you map certificates to specific user accounts manually. The advantage of this mode is that you can use certificates from multiple CAs and map those certificates to any account you choose. You can also map multiple certificates to a single account. You create the mappings by using the Account Mappings dialog box, which appears when you click Edit in the Secure Communications dialog box's Enable client certificate mapping section. Unfortunately, this mode of operation becomes unwieldy when you work with many certificates and user accounts.
The second type of client-certificate mapping lets you instruct IIS to map the client certificates that an enterprise CA issues to user accounts in AD. To use this mode of operation, open the Internet Information Services snap-in, right-click the Web server (not a Web site), and select Properties. From the Master Properties menu, select WWW Service, click Edit, and select the Directory Security tab. Select Enable the Windows directory service mapper, as Figure 5 shows. The advantages of this mode include scalability and some automated management features: As the enterprise CA issues user certificates, they're stored automatically in AD. You don't need to manually load and manage the certificates, and when users renew their certificates, you don't need to update the mappings. Note that the two types of client-certificate mapping are mutually exclusive in IIS, so you must choose your scheme with care.
When a user connects to a Web site that requires client certificates, the user's browser displays a dialog box that contains a list of the user's valid certificates, as Figure 6 shows. The user can select which certificate to use to authenticate (the browser will remember which certificate to use for the remainder of the session). If the certificate is stored on a smart card, the user will be prompted to enter his or her smart card PIN. Note that Figure 6 shows multiple certificates with the same name. A user with multiple certificates must select a certificate and click View Certificate to determine which certificate to use.
Managing Certificates
When using certificates, you need to have a management process in place for them. As part of their security mechanism, certificates expire and need to be renewed, so you must remember to request and install a new server certificate before the old one expires. You also need to replace expired and revoked client certificates if your Web site uses the legacy-mapping mode.
When managing a Web site that has restricted content, routinely monitor the types of requests the server receives to ensure that communications take place over SSL when requests include authentication information and when sensitive information is being returned to the user. Note that you might need a packet sniffer or Network Monitor (which ships with Win2K) for this type of monitoring.
Of course, you should also install the latest service pack and hotfixes on your Web servers and lock down your servers. For information about locking down a Web site, see Andrey Kruchkov, "Secure Web Server Installation on Win2K," October 2001, InstantDoc ID 22365, and check out Microsoft's security Web site at http://www.microsoft.com/security for the latest bulletins, tools, checklists, and best practices.
Microsoft's Internet Information Services 5.0 Resource Guide, part of the Microsoft Windows 2000 Server Resource Kit, is required reading for Web site administrators. Another good book I recommend to both developers and administrators is Michael Howard's Designing Secure Web-Based Applications for Microsoft Windows 2000 (Microsoft Press, 2000). The Microsoft Developer Network (MSDN) Web site (http://msdn.microsoft.com) also contains a wealth of information about developing and securing Web sites.
End of Article
Prev. page
1
2
[3]
next page -->
