IIS and Server: Securing Certificate Services

1. Securing Certificate Services. After installing the Certificate Services Web Enrollment Support a virtual directory named CertSrv is created under the default website. This virtual directory will be the entry point for the web enrollment component and must be secured. Using virtual directories you are able to publish multiple web sites using one server and IP address. This creates another entry point that must be secured.

2. General Permissions. There should only be a select number of general permissions enabled to ensure users have limited access to certsrv but can still complete their tasks.

Open the IIS Manager and navigate to the Default Web Site, which is where you will find the CertSrv virtual directory Right click CertSrv and select Properties.

Select the Virtual Directory tab if it is not already selected. Check that only the read, log visits, and index this resource are the only general permissions selected under the Local Path section. Then check that Scripts only is selected for Execute Permissions under the Application Settings and click Apply.

3. Configuring SSL Options. You have the ability to require SSL for every site your web server is hosting or just for particular sites. This will ensure that all information transmitted while using the certificate services web enrollment is encrypted. To configure your certificate services to only use SSL open the CertSrv Properties through the IIS Manager and open CertSrv properties if it is not open.

Select the Directory Security tab and click the Edit button under the Secure Communications section.

Select Require Secure Channel (SSL). You can also require 128 bit encryption, however, older browsers, and browsers distributed in countries where US export restrictions still apply, may not support 128 bit encryption and will not be able to connect. If this option is not selected older browsers will fall back to lower levels of encryption, which are no longer deemed secure. Check that Ignore Client Certificates is selected and click OK to apply the changes.

4. Configuring Basic Authentication. By default anonymous authentication is configured for web enrollment. It is recommended that you disable anonymous authentication and configure another authentication mode, which will prevent any user from submitting a request. This will help you avoid unneeded administrative tasks dealing with certificates. It is best to use the methods that will encrypt the users credentials, which are Integrated Windows, Digest, and .Net Passport.

To setup the Certificate Services web enrollment to use Basic Authentication, where information is sent in plain text open the properties for CertSrv. Selection the Directory Security tab where you will click the Edit button under Authentication and Access Control.

Disable Anonymous Access and Select Basic Authentication. IIS will provide a warning stating the vulnerability of clear text passwords and you must click Yes to continue. You can leave the Default Domain and Realm blank IIS will use the name of the local machine. The default Domain specifies the domain against which the user's credentials will be checked if the user does not supply a domain name when prompted. Click OK to apply the changes.

5. Moving CertSrv. The default installation directory for CertSrv is C:/%WINDOWS%/system32/certsrv, which should be moved to another partition or hard drive in order to restrict access to sensitive data. Copy the certsrv directory and past it into a different partition or hard drive. Then open the properties window for CertSrv through the IIS Manager. Select the Virtual Directory tab and change the local path to the new partition or hard drive to where you moved CertSrv. Click Apply to apply the setting chagnes.

6. Change Document Types. There will be a number of default document types that CertSrv is set up to look for when a user makes an initial connection. Changing this will ensure that only the correct page is found when a user connects. The only document that is required is Default.asp, the rest can be removed.

In the properties window select the Documents tab and remove all content except Default.asp.  Click Apply to apply the setting and OK to close the properties window.