SSL/TLS Scenarios

  • Article

Applies To: Windows Server 2003 with SP1

Many people think of SSL and TLS as protocols used with Web browsers for securely browsing the Internet. However, these are also general purpose protocols that can be used whenever authentication and data protection are necessary. The following examples depict a few uses of SSL/TLS today. This is not an exhaustive list. In fact the ability to access these protocols through the SSPI interface means that anyone take advantage of them for just about any application. Many applications are being modified to take advantage of the features of SSL/TLS.

Secure transaction with an e-commerce Web site. This is a typical use of SSL between a browser and a Web server. An example is an e-commerce shopping site where clients need to furnish their credit card numbers. The protocol would first confirm that the Web site’s certificate was valid and then send the client’s credit card information as cipher text. For this type of transaction, where the server’s certificate is from a trusted source, only server-side authentication occurs. SSL/TLS would need to be enabled for the Web page, such as an order form, where the data transactions occur.

Authenticated client access to a secure Web site. Both the client and server need certificates from a mutually trusted CA. With Schannel, client certificates can be mapped on a one-to-one or many-to-one basis to their Windows Server 2003 user or computer accounts and can be managed by Active Directory Users and Computers. This is invisible to the users, who can be authenticated to a Web site without needing to supply a password.

If you want to give several users access to confidential material, you can create a group, map the users’ certificates to the group, and give the group permissions to the material.

In one-to-one mapping, the server has a copy of the client’s certificate; whenever the client logs in, the server verifies that they are identical. This one-to-one mapping is typically used for private material, such as a banking site where only one individual has the right to view a personal account.

Remote Access. Schannel is used to provide authentication and data protection when users remotely log in to Windows-based systems or networks. Telecommuting is a common use for this technology. Users can more securely access their e-mail or enterprise applications from home or while traveling, reducing the risk of exposure of the information to anyone on the Internet.

SQL Access. Microsoft® SQL Server™ provides the ability for administrators to require authentication of the client when connecting to the server running SQL Server. In addition, either the client or server can be configured to require encryption of the data transferred between them. Very sensitive information, such as financial or medical databases, can be protected to prevent unauthorized access and disclosure of information on the network.

E-mail. Exchange servers can use Schannel to protect data as it moves from server to server on the Intranet or Internet. Full end-to-end security might require the use of Secure/Multipurpose Internet Mail Extensions (S/MIME); however, the protection of data in a server-to-server exchange allows companies to use the Internet to securely transfer e-mail among divisions within the same company, subsidiaries and partners. This can be done regardless of whether S/MIME is used.