IIS and Server: Securing
1. Securing Certificate Services. After installing the
Certificate Services Web Enrollment Support a virtual directory named
CertSrv is created under the default website. This virtual directory
will be the entry point for the web enrollment component and must be
secured. Using virtual directories you are able to publish multiple web
sites using one server and IP address. This creates another entry point
that must be secured.
2. General Permissions. There should only be a select number of
general permissions enabled to ensure users have limited access to
certsrv but can still complete their tasks.
Open the IIS Manager and navigate to the Default Web Site, which is
where you will find the CertSrv virtual directory Right click CertSrv
and select Properties.
Select the Virtual Directory tab if it is not already selected. Check
that only the read, log visits, and index this resource are the only
general permissions selected under the Local Path section. Then check
that Scripts only is selected for Execute Permissions under the
Application Settings and click Apply.
3. Configuring SSL Options. You have the ability to require SSL
for every site your web server is hosting or just for particular sites.
This will ensure that all information transmitted while using the
certificate services web enrollment is encrypted. To configure your
certificate services to only use SSL open the CertSrv Properties through
the IIS Manager and open CertSrv properties if it is not open.
Select the Directory Security tab and click the Edit button under the
Secure Communications section.
Select Require Secure Channel (SSL). You can also require 128 bit
encryption, however, older browsers, and browsers distributed in
countries where US export restrictions still apply, may not support 128
bit encryption and will not be able to connect. If this option is not
selected older browsers will fall back to lower levels of encryption,
which are no longer deemed secure. Check that Ignore Client Certificates
is selected and click OK to apply the changes.
4. Configuring Basic Authentication. By default anonymous
authentication is configured for web enrollment. It is recommended that
you disable anonymous authentication and configure another
authentication mode, which will prevent any user from submitting a
request. This will help you avoid unneeded administrative tasks dealing
with certificates. It is best to use the methods that will encrypt the
users credentials, which are Integrated Windows, Digest, and .Net
To setup the Certificate Services web enrollment to use Basic
Authentication, where information is sent in plain text open the
properties for CertSrv. Selection the Directory Security tab where you
will click the Edit button under Authentication and Access Control.
Disable Anonymous Access and Select Basic Authentication. IIS will
provide a warning stating the vulnerability of clear text passwords and
you must click Yes to continue. You can leave the Default Domain and
Realm blank IIS will use the name of the local machine. The default
Domain specifies the domain against which the user's credentials will be
checked if the user does not supply a domain name when prompted. Click
OK to apply the changes.
5. Moving CertSrv. The default installation directory for CertSrv
is C:/%WINDOWS%/system32/certsrv, which should be moved to another
partition or hard drive in order to restrict access to sensitive data.
Copy the certsrv directory and past it into a different partition or
hard drive. Then open the properties window for CertSrv through the IIS
Manager. Select the Virtual Directory tab and change the local path to
the new partition or hard drive to where you moved CertSrv. Click Apply
to apply the setting chagnes.
6. Change Document Types. There will be a number of default
document types that CertSrv is set up to look for when a user makes an
initial connection. Changing this will ensure that only the correct page
is found when a user connects. The only document that is required is
Default.asp, the rest can be removed.
In the properties window select the Documents tab and remove all content
except Default.asp. Click Apply to apply the setting and OK to
close the properties window.