Because the NT system is easy to maintain, more and more small and medium-sized enterprises use it on their own websites and internal office management systems, and many use the default IIS for WEB servers. Of course, it cannot be denied that the recent vulnerabilities that threaten the NT System are caused by improper IIS configuration. Moreover, it is foreseeable that many new IIS vulnerabilities and security problems will be discovered in the future, however, as long as we make reasonable security configurations, we can still avoid many security risks. This article does not systematically describe how to configure IIS in full security. I just want to enhance IIS security by using SSL to encrypt the HTTP channel.
1. Establish an SSL Security Mechanism
In addition to anonymous access, basic authentication, and Windows NT request/response methods, IIS identity authentication also provides a more secure authentication, that is, using SSL (Security Socket Layer) security Mechanisms use digital certificates. SSL (encrypted SOCKET protocol layer) is located between the HTTP layer and the TCP layer. encrypted communication between users and servers is established to ensure the security of transmitted information. SSL is based on a public key and a private key. Any user can obtain a public key to encrypt the data. However, to decrypt the data, the corresponding private key must be used. When using the SSL security mechanism, the client first establishes a connection with the server. The server sends its digital certificate and public key to the client, and the client generates a random session key, encrypt the session key with the public key obtained from the server and upload the session key to the server over the network. The session key can be decrypted only on the server, the client and the server establish a unique security channel.
After an SSL security mechanism is established, only customers allowed by SSL can communicate with the websites allowed by SSL. When using the URL Resource Locator, enter https: // instead of http: //.
Simply put, by default, the HTTP protocol we use does not have any encryption measures, and all messages are transmitted in plain text on the network, malicious attackers can install listeners to obtain communication between us and the server. This hazard is especially serious in some enterprises' internal networks, for the enterprise intranet that uses the HUB, there is no security, because anyone can see other people's activities on the network on a computer, although the security threats to networks using vswitches are much smaller, there are still security breakthroughs in many cases. For example, the default users and passwords of vswitches are not changed, you can set your network interface as a listener to monitor all activities of the entire network.
Therefore, fully encrypting the entire network transmission tunnel is indeed a good security measure. Unfortunately, there are not many articles on the network about configuring SSL for IIS, I simply tried to share my experience with you.
Ii. Procedure
In the example of WINDOWS Server version, we first need to add and delete WINDOWS Components in the control panel to install the Certificate Service, this service is not installed in the system by default. You need to install it on a CD.
Since this is the first configuration, we chose to create a new certificate. Use the default site name and encryption length settings. After the certificate is issued successfully, find the issued certificate in the issued certificate, double-click its attribute column, and then select copy certificate to file in details. We need to export the certificate to a file. Here we export the certificate to the c: SQL. cer file. Return to the iis web management interface and select a new certificate application. At this time, the certificate request is suspended.
Related Articles]
- IIS installation and solutions to common problems
- Corrupted IIS 6 files may affect OWA.
- Find the IIS6 installer in Windows 2003