[This is preliminary documentation and subject to change]

Using the New Security Task Wizards

Internet Information Services now comes with three new security task wizards that simplify most of the security tasks necessary to maintain a secure Web site. You can use the Web Server Certificate Wizard to manage Secure Sockets Layer (SSL) features in IIS and server certificates. Certificates are used in negotiating a secure link between your server and a user's browser. You can use the CTL Wizard to manage certificate trust lists (CTLs). Certificate trust lists are lists of trusted certification authorities for each Web site or virtual directory. You can use the Permissions Wizard to assign Web and NTFS access permissions to Web sites, virtual directories, and files on your server.

• About the Wizards
• Accessing the Wizards

About the Wizards

The Certificate, CTL, and Permissions wizards perform many of the tasks formerly done in the IIS snap-in. With the exception of the Permissions Wizard, these functionalities are no longer accessible in the IIS snap-in.

The Web Server Certificate Wizard

Obtaining, configuring, and renewing server certificates can now all be done through one interface in the Web Server Certificate Wizard. The wizard can detect whether a server certificate has already been installed and if it is about to expire. You can use the wizard to create a certificate request, replace the server certificate with another one from a certification authority (CA), from an online CA, such as Microsoft Certificate Services, or from a file previously obtained in Key Manager. You can also reassign a certificate from one Web site to another Web site. You can also use the wizard to view certificates.

When creating a new certificate, the Web Server Certificate Wizard allows you to choose the strength of encryption, the type of certificate, and a cryptographic service provider for your certificate.

Note    Online requests for server certificates can only be made to local and remote Enterprise Certificate Services and remote Stand-alone Certificate Services. The IIS Web Server Certificate Wizard does not recognize a stand-alone installation of Certificate Services on the same computer when requesting a certificate. To get around this, use the offline certificate request to save the request to a file and then process as an offline request (see the Certificate Services documentation).

Note    If you are not using an online certification authority, you will need to save the request file generated by the Web Server Certificate Wizard to disk and send it to the CA. When the response is received, you can start the wizard and it will begin where it left off before. If you are replacing a certificate, IIS will continue to use the old certificate until the new request is completed. For a list of certification authorities supporting Internet Information Services, see Obtaining a Server Certificate.

The CTL Wizard

You can use the CTL Wizard to create and configure certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CA) for a particular Web site. By configuring your CTL, you can allow certificates issued by one CA to be used but not from another CA. CTLs are especially useful for Internet Service Providers (ISPs) who have several Web sites on their server and who need to have a different list of approved certification authorities for each site. CTLs are available only at the Web site level and are not available for FTP sites.

The Permissions Wizard

The Permissions wizard takes a scenario-driven approach in setting up Web and FTP permissions, NTFS access permissions, and authentication schemes. Rather than setting each area with a separate user interface, you select the scenario that most closely resembles your site's needs and the wizard sets all of the access permissions and authentication schemes for you. One of the great advantages of this is that the wizard will ensure that Web (or FTP) and NTFS permissions are properly coordinated and that the correct authentication scheme is used. All of the settings can still be changed in the IIS snap-in. The scenarios are:

1. Public Web Site. This is the most common configuration, in which the information on the site is intended for public consumption over the Internet. It uses anonymous authentication and allows users to view all files and access Active Server Pages applications on your Web server. It also gives administrators complete control over the site.
2. Secure Web Site. This configuration is used for corporate extranets, which are intranets accessed over the Internet. Information on the site is intended for restricted consumption. It uses Basic, Digest, or integrated Windows authentication. It allows only authorized users to view all files and access Active Server Pages applications on your Web server. It also gives administrators complete control over the site.

Note    If you choose to inherit all security settings when running the Permissions Wizard, customers might be denied access to the Web site. To correct this, open the Home Directory property sheet for the Web site and select Read and Scripts only permissions. When prompted, have all virtual directories and files inherit these settings.

Accessing the Wizards

To access the Web Server Certificate Wizard and the CTL Wizard from the IIS snap-in:

1. Select a site, directory, or file, and open its property sheets.
2. On the Directory Security property sheet, under Secure Communications click Server Certificate to access the Web Server Certificate Wizard and change settings regarding your certificates.
3. On the Directory Security or File Security property sheet, under Secure Communications click Edit. Under Enable certificate trust list click either New or Edit to access the CTL Wizard and change settings regarding your certificate trust lists.

Note

• You must have a server certificate installed to access the CTL Wizard.
• You must enable certificate trust lists to use the New and Edit buttons.

To access the Permissions Wizard from the Internet IIS snap-in:

1. Choose the Web or FTP site and click the Action menu.
2. From the list, point to All Tasks and then click Permission Wizard.

Note    Use the following guidelines when assigning IP addresses, Web sites, and SSL ports to your server certificates:

• You cannot assign multiple server certificates per Web site.
• You can assign a certificate to multiple Web sites.
• You can assign multiple IP addresses per Web site.
• You can assign multiple SSL ports per Web site.

© 1997-2001 Microsoft Corporation. All rights reserved.