 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2006Newbie Security Question
I want to lockdown three or four pages of an otherwise publically access web app. You have to login but providing you have the right username and password you have access. These 3 or 4 pages should only be accessed from certain webservers and of course the hosting server. I was thinking of using client certificates but I don't want to make the whole site require them, just the one directory. Can I make a virtual directory or a subdomain require a client certificate for access. Preferably a virtual directory. Also do I have to buy a certificate from a CA. I read somewhere you can create your own internal ones as these machines are all hosted by us. Regards. You can change the SSL policy to use SSL and require a client certificate at the virtual directory level, so that should work. Regarding certs, basically you can use whatever you can get both the servers and clients to trust, so if you can put the appropriate root CAs in each of the machine's trusted roots store, you'll be ok. The commercial CA is the easiest way to do this and is the only really viable approach for use with the general public, but you have more flexibility than that. Depending on your needs, you might also just use Windows authentication on those directories. Client certificates can be a bit of a pain from a deployment standpoint. Joe K.  SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- >I want to lockdown three or four pages of an otherwise publically access >web app. You have to login but providing you have the right username and [quoted text clipped - 6 lines] >create your own internal ones as these machines are all hosted by us. >Regards. Do you konw of any good books or websites that will talk you through the basics of securing the Virtual Directory as I am new to this. I want to go down the virtual directory as we host servers on different sites so Windows authentication mighten work, not with our network, I don't think. Particularly what are the general steps to changing SSL policy to a virtual directory level. Regards. > You can change the SSL policy to use SSL and require a client certificate > at the virtual directory level, so that should work. Regarding certs, [quoted text clipped - 20 lines] >>you can create your own internal ones as these machines are all hosted by >>us. Regards. I actually don't know of any good books for doing IIS admin as I've never read one, but it is pretty easy to figure this stuff out. First, you need to configure the website itself with your SSL cert. That is done by bringing up the properties for the web site and click the server certificate button. Follow the wizard to request a new cert or use one you already installed. Then, once you create a virtual directory under the website, you can go into the directory security tab and click "edit" under the secure communications section and then change the options to "require secure channel" and then change the radio button to "require client certificate". HTH, Joe K. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Do you konw of any good books or websites that will talk you through the > basics of securing the Virtual Directory as I am new to this. I want to go [quoted text clipped - 27 lines] >>>somewhere you can create your own internal ones as these machines are all >>>hosted by us. Regards. Thanks very much I'll have a go. Regards. >I actually don't know of any good books for doing IIS admin as I've never >read one, but it is pretty easy to figure this stuff out. [quoted text clipped - 45 lines] >>>>somewhere you can create your own internal ones as these machines are >>>>all hosted by us. Regards. There is a tool called selfssl that comes with the IIS 6 Resource Kit (free download) that is handy for creating a quicky self-signed SSL cert and installing it in the default web server all in one go. You might want to experiment with that to get started if you don't have another easy source of certs. You'll quickly discover that self signed certs a pain to manage when you need to get other machines to trust them. :) Still, it is handy. To create a quicky self-signed client cert, you'd need to make makecert.exe and it is a little more effort. Joe K. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Thanks very much I'll have a go. Regards. > [quoted text clipped - 48 lines] >>>>>from a CA. I read somewhere you can create your own internal ones as >>>>>these machines are all hosted by us. Regards. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.