General Security Elements
This topic describes the main security elements that are used on a Commerce Server installation: authentication, access control, encryption, auditing, and certificates.
Authentication Overview
Access Control Overview
Certificates Overview
Encryption Overview
Auditing Overview
Authentication Overview
Commerce Server supports seven authentication methods: three authentication methods that Commerce Server provides (Windows Authentication, Custom Authentication and Autocookie), and four authentication methods that Internet Information Services (IIS) provides (Anonymous, Basic, Integrated, and Certificates).
Commerce Server does not know which of the IIS authentication methods take place. When you use any of these authentication methods, except anonymous, Commerce Server can access the Active Server Pages (ASP) environment and programmatically ask for the name of the user (currently logged on) using server request variables.
IIS provides security features that are fully integrated with Windows. Commerce Server supports four IIS authentication methods so that you can confirm the identity of anyone requesting access to your Web sites. These IIS authentication methods are:
Anonymous authentication allows anyone access without asking for a user name or password.
Basic authentication will prompt the user for a user name and password, which are sent unencrypted over the network.
Integrated Windows authentication uses hashing technology to identify your user without actually sending the password over the network.
Certificates are digital credentials that can be used for establishing a Secure Sockets Layer (SSL) connection. They can also be used for authentication.
You can use these methods to grant access to public areas of your site, while preventing unauthorized access to your private files and directories. For more information about these methods, seeĀ IIS Authentication Methods.
Access Control Overview
With NTFS access permissions, the foundation of the security for your Web server, you can define the level of file and directory access granted to Windows users and groups. For example, if a business decided to publish its catalog on your Web server, you would need to create a Windows user account for that business and then configure permissions for the specific Web site, directory, or file. The permissions would enable only the server administrator and the owner of the business to update the content for the Web site. Public users would be allowed to view the Web site, but cannot alter its contents. For more details about setting NTFS permissions, see "Setting NTFS Permissions for a Directory or File" in the IIS 5.0 Documentation.
WebDAV is an extension of the HTTP 1.1 protocol that facilitates file and directory manipulation over an HTTP connection. Through the use of WebDAV "verbs," or commands, properties can be added to and read from files and directories. Files and directories can also be remotely created, deleted, moved, or copied. Additional access control can be configured through both Web server permissions and NTFS. For more information, see "About Access Control" or "WebDAV Publishing" in the IIS 5.0 Documentation.
Certificates Overview
Certificates are digital identification documents that allow both servers and clients to authenticate each other. They are required for both the server and the browser belonging to the client to set up an SSL connection over which encrypted information can be sent. The certificate-based SSL features in IIS consist of a server certificate, a client certificate, and various digital keys. You can create these certificates with Microsoft Certificate Services or obtain them from a mutually trusted, third-party organization called a certification authority (CA). For more information about setting up certificates and keys, see "Setting Up SSL on Your Server" in the IIS 5.0 Documentation.
Server Certificates
Server certificates provide a way for users to confirm the identity of your Web site. A server certificate contains detailed identification information, such as the name of the organization affiliated with the server content, the name of the organization that issued the certificate, and a public key used in establishing an encrypted connection. This information helps to assure users of the authenticity of Web server content and the integrity of the secure HTTP connection.
Client Certificates
With SSL, your Web server also has the option of authenticating users by checking the contents of their client certificates. A typical client certificate contains detailed identification information about a user and the organization that issued the certificate and a public key. You can use client certificate authentication, along with SSL encryption, to implement a highly secure method for verifying the identity of your users.
Encryption Overview
You can enable users to exchange private information with your server, such as credit card numbers or phone numbers, in a secure way by using encryption. Encryption "scrambles" the information before it is sent, and decryption "unscrambles" it after it is received. The foundation for this encryption in IIS is the SSL 3.0 protocol, which provides a secure way of establishing an encrypted communication link with users. SSL confirms the authenticity of your Web site and, optionally, the identity of users accessing restricted Web sites.
Certificates include keys used in establishing an SSL secure connection. A key is a unique value used to authenticate the server and the client in establishing an SSL connection. A public key and a private key form an SSL key pair. Your Web server uses the key pair to negotiate a secure connection with the Web browser to determine the level of encryption required for securing communications.
For this type of connection, both your Web server and the Web browser must be equipped with compatible encryption and decryption capabilities. During the exchange an encryption, or session, key is created. Both your server and the Web browser use the session key to encrypt and decrypt transmitted information. The degree of encryption, or strength, of a session key is measured in bits. The greater the number of bits comprising the session key, the greater the level of encryption and security. Although these greater encryption key strengths offer greater security, they also require more server resources to implement. The session key of your Web server is typically 40 bits long, but can be 128 bits long depending upon the level of security you require.
You can use Commerce Server to generate new encryption keys. For information, seeĀ Generating a New Encryption Key.
Auditing Overview
You can use security auditing techniques to monitor a broad range of user and Web server security activity. It is recommended that you routinely audit your server configuration to detect areas where resources may be susceptible to unauthorized access and tampering. You can use the integrated Windows utilities, or the logging features built into IIS 5.0, or use ASP applications to create your own auditing logs. For more information, see "Auditing" in the IIS 5.0 Documentation.