Implementing a PKI, Part II: Configuring IIS 6.0 (Page 1 of 5 )
In my previous article “Implementing a Public Key Infrastructure (PKI) - Windows Server 2003, Part I” I described the procedure you have to follow in order to set your own Public Key Infrastructure using Windows Server 2003. Now, it is time to move on to explain how you can configure your IIS 6.0 Web server and Web browser to use the digital certificates issued by your own PKI. After all, our goal is to implement an encrypted channel between the Web server and the browser so that they can exchange data in a secured way.
Security Enhancements on IIS 6.0
In an effort to provide an enhanced level of security, Windows Server 2003 includes a redesigned IIS. IIS 6.0 is far more secure than previous versions of IIS. Many new features are included to enhance the security provided for Web communication. Below is a list of the features we are most concerned when implementing a PKI.
- Not installed by default on Windows Server 2003: Why have something installed on your PC if you don’t need it, especially if this will put your system at risk? Based on this concept, IIS 6.0 is not installed by default on Windows Server 2003. If you need it you must explicitly select and install it. By the way, we need it to operate the CA, so please find the time to install it.
- Installs in a locked down state: The default installation of IIS 6.0 exposes only minimal functionality. Only static files get served and overall other functionality (such as ASP and ASP.NET) has to be enabled explicitly by you. In this way, people must think what they really want to configure based on the task they want to perform.
- SSL improvements:
- Performance. SSL operation places a constraint on the system’s performance due to the cryptographic services it must perform. Microsoft improved the SSL implementation and made it faster, achieving better performance and scalability.
- Selectable Cryptographic Service Provider (CSP). In an effort to enhance the performance of the system when using SSL, you are able to select a specific CSP. There are hardware-based accelerator cards that enable the offloading of the cryptographic computations to hardware. Cryptographic Service Providers can then plug their own Crypto API provider into the system. With IIS 6.0, you have the ability to select such a third-party Crypto API provider.
- Remotable Certification Object. In IIS 5.0, administrators cannot manage SSL certificates remotely because the CSP certificate store cannot be used remotely. With IIS 6.0 you are able to do this through the CertObject.
Next: Configuration Details >>
More IIS Articles
More By Eliana Stavrou
