Hello all,

After working with IIS 5 (Windows 2000 Server, SP3), I've been trying to
get client certs to work and in doing so, I've noticed a disturbing
feature. We have our own CA that we use to sign internal certs and the
Root CA cert is installed in IIS's CTL. A single client cert is set up
for 1-to-1 mapping on a website. The client cert gets you into the
website just fine, but, so does any client cert that is signed by our
Root CA. That's the bad part. I just want to allow a single user with
a client cert, signed by our CA to connect to a web site.

I've looked through websites detailing how to set up client certs on
IIS, and they all say the same thing, turn on SSL, require client certs,
add the cert and map to a user. Well, that's fine and good, but if I
have a user that has a Verisign client cert, I just can't let anyone
with a Verisign cert in.

After spending some time changing one setting at a time, I've come up
with a way to allow a single user with a cert, and that is to add a
subsequent Many-to-1 rule disallowing all access to anyone else with a
cert signed by our CA. I can't believe that the client mapping is so
horribly broken in IIS that anyone with a matching cert is allowed in,
so I'm assuming that I've set it up wrong.

What I've tested:

- Anyone with our cert can reach the site with certs ignored or
accepted, no surprise.

- Anyone with our cert can reach the site with client cert mapping not
enabled. Slightly surprising, as I would think that it would default to
no one being allowed access.

- Anyone with our cert can reach the site with client cert mapping
enabled and no 1-to-1 rules. Again surprising.

- I added a second cert, and mapped it to a user that was not allowed
access to the default.html page. That user was not allowed access, but
all other cert holders were allowed access.

- I added a Many-to-1 rule denying access to anyone with the following
certificate criterium:

     Issuer CN matches '<root CA text here>'

With this enabled, and the local Root CA installed, it matches what I
thought that it would do with just the client cert installed.

Since all the major CAs have their certificates installed into Windows
2000, IIS recognizes them and I fear that anyone with a valid cert may
be able to access a site. To test this, I downloaded a client cert from
Entrust and added their Entrust Demo CA cert into my cert store on the
server. I connected to the site and I was prompted with a choice of two
certs, one signed by our Root CA and one signed by Entrust's Demo CA. I
got in with the Entrust without any problem. So I added a second
Many-to-1 rule denying access to anyone with the following criterium:

     Issuer O matches '*'

This has stopped me from accessing with a valid cert that is publically
available.

Conclusion:

The websites that are describing the installation and configuration of
client certificates on IIS are missing a very critical element -- the
adding of a default deny rule to stop anyone from accessing a site
requiring clients certs with impugnity. With the addition of the second
rule ( Issuer O matches '*' ) into the Many-to-1 it stops leaks in what
appears to be poorly defined default condition.

If I am full of coffee and hope for an early weekend, and my conclusions
are out of your experience or you see a misconfiguration on my part,
please tell me. I hate to think that something defaults to such an
insecure setup.

And, yes, I am aware of Johan Persson's alert, but I'm not so sure that
it would have applied to me as I took the advice and installed SP3.
Again, I hope I just misconfigured IIS.

Have a good weekend all,
 - chris

Chris Eidem Dexma, Inc.
Network Administrator 7701 York Av. S.
Phone: 952.229.1311 Edina, MN 55435

So, Buddha walks into a pizza parlor and asks,
"Make me one with everything..."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]