Study Notes on IIS security/Digital Certificate/SSL principles

I want to help you write down the IIS security I know. If you have any additional information, I would like to thank you very much.

IIS security can be classified into transmission security and access security.

(There is something to be written before: Many online articles talk about SSL with various technologies, such as web service. Other SSL has nothing to do with those technologies. It is just something about IIS, attention for beginners)

(First, describe the environment for operations under the workshop:

Client: System: Local win7, IP: 192.168.85.1

Note that the following two server systems must be used: because IIS can only add new websites to the server system, and virtual directories can only be added to non-server systems. In addition, only the server system has Ca (Certificate Authority)

IIS server: Windows2003 in VM, IP: 192.168.85.128

CA Server: Windows2003 in VM, IP: 192.168.85.128

)

Access Security (Transmission security is described in the third part, SSL ):

1.Basic settings

Security Settings and descriptions

Only integrate Windows Authentication:

After entering the IIS server user name and password, you can access this webpage!

2. Set permissions through ipsettings

See:

If access is disabled, the following page appears.

3. Set the certificate

This is complicated. It includes transmission security in IIS. The following describes the certificate step by step.

A Certificate Server (the same server as IIS) is required because a digital certificate is used)

A. Install the authentication server

Next, go to the next step until the Certificate Authority is installed.

After installation, there is a virtual directory for certificate application under the default IIS Site, as shown in figure

B. A certificate application is prepared by IIS (a string is actually generated)

Right-click the website for which you want to apply for a server certificate-> properties-> Directory Security-> server certificate-> next, the following figure appears: Create a new certificate first, and press next.

Select "Prepare certificate request now, but send it later" and press "Next". The following page is displayed:

Click Next to enter the unit and department page, enter your unit and department, and click Next (pay attention to setting this step below)

After entering the province, city, or other information, follow the next step.

Click Next to complete

C. Apply for a certificate using the character string in the file just now (one or less characters, including spaces) (there are two methods)

Method 1: submit a new application through ca display, select the file generated on IIS (C: \ certreg.txt), and press open.

At this time, there is a certificate under the suspended certificate

Method 2: Use the certificate virtual path under the default IIS Site

Click Apply for a certificate to go to the next page, and then click "apply for Advanced Certificate" to go to the following page

Click the option in the red box to go to the next page.

Select the file generated by IIS, select all the content, and paste all the content in the red box on the following page.

After the certificate is submitted, there will be a certificate in the suspended certificate of the CA

D. Then, issue the certificate:

Select the certificate that you just applied to be suspended in the CA, right click-> all tasks-> Issue

E. Export the issued certificate to IIS

In the "issued certificate" in the CA, open the issued certificate and press Export

 

F. Install the IIS server certificate

Go back to the IIS server certificate, click in, select "handle hanging requests and install Certificates"-> first export the certificate-> specify the SSL port (443 by default) -> next, continue until the task is completed.

G. Set SSL-secured transmission for websites

Go back to IIS's "Directory Security page"-> in "Secure Communication"-> edit as shown in

As long as the settings are complete, you can use SSL for secure transmission (here we can work with "Integrating Windows users" for access security. Here we will talk about a new one, use client certificates to map users for access security)

According to the above settings, although the access can be used, but the results will show that there is no client certificate (only anonymous access is allowed)

Even if I have finished iis ssl, I will talk about using client certificates for secure access.

Use client certificates for secure access

A. Request the client certificate early

Access the CA server on the client (win7 on the local machine) (through the CA virtual directory under IIS)

Because ActiveX cannot be stored in Windows 7 due to unknown reasons during the testing process, we changed the client to vm2003, open the IE option-> content-> certificate to add a new client certificate.

Export this certificate (C: \ Client. CER)

Of course, you can also export the certificate applied by the customer in the CA.

B. ing between users and certificates in IIS (if you only set access security through certificates, select Anonymous Access)

The SSL image just now

 

After the configuration is completed in the above Order, confirm the process by OK until the process is completed.

Now, when HTTPS is used for access, the certificate will be mapped to the corresponding user of the corresponding IIS server (equivalent to integrating windows verification). Please refer

Click OK to access the page!

 

I have talked a lot about it here! There are too many images! In order to explain the problem in detail, there is no way (through these operations, you can imagine that SSL in IIS is working at first, right ?)