SecurityFocus

IIS 5 and client certificates Nov 01 2002 10:29PM
Chris Eidem (ceidem Dexma com) (1 replies)

Re: IIS 5 and client certificates Nov 05 2002 06:22AM
Frank Knobbe (fknobbe knobbeits com) (1 replies)

RE: IIS 5 and client certificates Nov 08 2002 12:00PM
Walter Williams (wbjw attbi com)

And unless the app/data is not very important, don't consider this
sufficient. All you are testing for here is was a certificate issued. You
are not testing for validity of the certificate vs a certificate trust list,
nor if the certificate is expired.

> -----Original Message-----
> From: Frank Knobbe [mailto:fknobbe (at) knobbeits (dot) com [email concealed]]
> Sent: Tuesday, November 05, 2002 1:22 AM
> To: Chris Eidem
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
> ceidem (at) jafonet (dot) com [email concealed]
> Subject: Re: IIS 5 and client certificates
>
>
> On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
> > [...]
> > What I've tested:
> >
> > - Anyone with our cert can reach the site with certs ignored or
> > accepted, no surprise.
> >
> > - Anyone with our cert can reach the site with client cert mapping not
> > enabled. Slightly surprising, as I would think that it would default to
> > no one being allowed access.
> >
> > - Anyone with our cert can reach the site with client cert mapping
> > enabled and no 1-to-1 rules. Again surprising.
> >
> > - I added a second cert, and mapped it to a user that was not allowed
> > access to the default.html page. That user was not allowed access, but
> > all other cert holders were allowed access.
> >
> > - I added a Many-to-1 rule denying access to anyone with the following
> > certificate criterium:
> >
> > Issuer CN matches '<root CA text here>'
> >
> > With this enabled, and the local Root CA installed, it matches what I
> > thought that it would do with just the client cert installed.
> >
> >
> >
> > Since all the major CAs have their certificates installed into Windows
> > 2000, IIS recognizes them and I fear that anyone with a valid cert may
> > be able to access a site. [...]
>
>
> Chris,
>
> have you tried *removing* all other root certs from the root CA store of
> the web server, leaving only your own root CA cert in the certificate
> store?
>
> From what I understand, any certificate signed by a trusted root CA (so
> by default, Verisign etc) are accepted, and the CN name used as a
> username for authentication (or via the mapping, remapped to a different
> ID). It seems to me that if you trust only your certificate, you would
> need to to reduce the trust in the root CA store to just your root cert.
>
> Regards,
> Frank
>
>

[ reply ]