Secure Web Sites and Communications

  • Article

The Web site and browser have become the central mechanisms for open information exchange and collaboration on organizational intranets as well as on the Internet. However, standard Web protocols such as Hypertext Transfer Protocol (HTTP) provide limited security. You can configure most Web servers to provide directory and file level security based on user names and passwords. You can also provide Web security by programming solutions using the Common Gateway Interface (CGI) or Active Server Pages (ASP). However, these traditional methods of providing Web security are proving less and less adequate as attacks against Web servers become more frequent and sophisticated.

You can use Internet Information Services (IIS), included with Windows 2000 Server, to provide high levels of security for Web sites and communications using standards-based secure communications protocols and standard X.509 certificates. You can provide the following security for Web sites and communications:

  • Authenticate users and establish secure channels for confidential encrypted communications using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

  • Authenticate users and establish secure channels for confidential encrypted financial transactions using the Server Gated Cryptography (SGC) protocol.

  • Map user certificates to network user accounts to authenticate users and control user rights and permissions for Web resources based on users' possession of valid certificates issued by a trusted certification authority.

Considerations for Secure Web Sites

Consider including the following information in your deployment plan:

  • Web sites and user groups to upgrade or migrate to secure Web sites.

  • Strategies for using SSL or TLS to secure Web communications between clients and Web servers.

  • Strategies for using certificate mapping to control user rights and permissions to Web site resources.

  • Certification authority deployment needed to support Web sites.

  • Enrollment process and strategies to enroll users in the secure Web sites program.