Uses SSL to add locks to IIS

In the maintenance of NT systems, more and more small and medium-sized enterprises in their own web site and internal office management system to adopt it, and many are using the default IIS to do Web server use. Of course, we can not deny that several recent threats to the NT system are caused by improper IIS configuration, and can be foreseen, the future of IIS will be found many new vulnerabilities and security issues, but as long as we do a reasonable security configuration, or can avoid a lot of security risks. This article does not systematically talk about how to fully secure the configuration of IIS, I only from the use of SSL encryption HTTP channel to enhance IIS security.

First, the establishment of SSL security mechanism

IIS authentication, in addition to anonymous access, Basic authentication, and Windows NT Request/Response, is a more secure authentication that uses digital certificates through the SSL (security Socket Layer) secure mechanism. SSL (the cryptographic Sockets Layer) is between the HTTP layer and the TCP layer, establishing encrypted communication between the user and the server, ensuring the security of the information passed. SSL is based on public and private keys, and any user can obtain a public key to encrypt the data, but the decryption data must pass the corresponding private key. When using the SSL security mechanism, first, the client and the server to establish a connection, the server to its digital certificate and public key one concurrent to the client, the client randomly generated session key, with the public key from the server to encrypt the session key, and the session key on the network passed to the server, The session key can only be decrypted with a private key on the server side, so that the client and server end up with a unique secure channel.

Once SSL security is established, only SSL-enabled customers can communicate with SSL-allowed Web sites, and when using a URL resource Locator, enter https://instead of http://.

Simply put, by default, the HTTP protocol we use has no encryption, and all messages are transmitted in clear text across the network, and a malicious attacker can install a listener to obtain communication between us and the server. This harm in some enterprises in the internal network is particularly large, for the use of the hub of the enterprise intranet is simply no security can be said because anyone can see other people on a computer in the network activities, for the use of the switch to networking network, although the security threat is much smaller, However, many times there will be a security breach, such as the switch does not change the default user and password, people go up to their own network interface set as a listener, can still monitor the entire network of activities.