Authenticate access to your server
Security is one of the most discussed components of any network or Web site. Web sites and the servers on which they run need security because of the Web servers' widespread access. If the server connects to the Internet, it's even more exposed and potentially vulnerable to unauthorized users. If the Web server hosts an intranet, the server is usually contained within the LAN or WAN environment. Even intranets can be exposed to the Internet, however, because workers more frequently need remote access to applications. In such a case, the intranet is known as an extranet.
You can establish Web site security in many ways—from logon security that authenticates users to a server to security methods such as NTFS that authorize access to certain files or folders. Relying on the Windows 2000 security system to provide authentication and authorization security removes the need for you or your developers to develop your own security system. One way to take advantage of the Win2K security system is by using client certificates to authenticate access to your Web servers. Let's look at what certificates are, how you obtain them, and how you configure them.
What Are Client Certificates?
Client certificates are files that a Certificate Authority (CA) issues to vouch for an individual's identity. A CA is a trusted organization such as VeriSign. To be acceptable, client certificates must be from a CA listed in the certificate trust list (CTL) for the site. (You add site CAs to the CTL by using the CTL Wizard.) You can also list the CA in the CTL for the Active Directory (AD) domain or AD organization, if appropriate.
An alternative to purchasing certificates is to use Win2K Certificate Services to issue your own certificates. Issuing certificates is handy when you use AD because Certificate Services automatically publishes certificates to AD. Issuing your own certificates is also much less costly than purchasing third-party certificates. However, outside organizations might not trust certificates that you issue. Base the decision whether to purchase certificates from a CA or issue them yourself on who will authenticate users with the certificates. For example, if you're doing everything internally, you might use Certificate Services, which lets you control everything.
Client certificates have an advantage over a simple username and password because a CA issues the certificates and the authentication process using certificates doesn't involve the user after the user installs the certificate. The user's only involvement is installing the client certificate. This action relieves the user from remembering a password to log on to a site.
Using certificates also has disadvantages. First, clients must install certificates, so the process leaves room for error. Second, using certificates—Secure Sockets Layer (SSL) in particular—puts a heavy load on a Web server, thus slowing it down for all users. Third, certificates expire and require renewal, so the user or administrator must remember to renew the certificate before it expires. SSL adds a lot of management and performance overhead to a server. You must balance the headaches of SSL against your need for certificates.
Using Client Certificates
To require client certificates for authentication, you must enable SSL for a site. (For a more detailed description of SSL and how it works, see Allen Jones, "SSL Demystified," December 2000.) Enabling SSL installs the SSL certificate. You can determine whether the site uses SSL by opening the Microsoft Management Console (MMC) Internet Information Services snap-in, opening the Properties for the site, then clicking the Directory Security tab, which Figure 1, page 8, shows. If View Certificate and Edit are enabled, the site has a certificate installed. You can check the SSL settings by clicking Edit on the Directory Security tab and selecting the Require secure channel (SSL) check box, which Figure 2, page 8, shows.
You can assign a server certificate (i.e., a certificate assigned to a server instead of a user) to one Web site or to multiple Web sites. (You can't install a certificate on a virtual directory.) To install the server certificate, you can use either the Web Server Certificate Wizard or the CTL Wizard. Follow these steps to start the Web Server Certificate Wizard:
- Open the Internet Information Services snap-in.
- Right-click the Web site in which you want to install the certificate, then select Properties.
- Click the Directory Security tab, then click Server Certificate to start the wizard.
Previous
Register
