IIS 7.0 SSL using Self-Signed Certificates

While developing a website for a friend of mine he recommended me to use SSL since he was expecting sensitive information being POST. So we were brainstorming various options like buying an authenticate SSL (Verisign) or using OpenSSL to generate a personal SSL, but we ended upon using IIS 7 feature of Self-Signed Certificate. I have got to admit the fact that IIS 7 feature list is definite a giant-leap for quick web development and deployment! Anyways, following are some simple steps to create SSL using IIS 7:

1) Certificates are managed in IIS 7 by clicking the root machine node, and then selecting the "Server Certificates" icon in the feature pane.

2) Double click the "Server Certificate" or click "Open Feature" and click the "Create Self-Signed Certificate" link on the right-hand side of the admin tool and in the new Certificate interface type in a name of your new SSL certificate.

3)To enable SSL on your web-site, select the website node and click the "Bindings" link in the "actions" pane on the right-hand side of the screen and click the "Add" button. In the "add binding" dialog we add the HTTPS protocol support. We can select the self-signed certificate we created earlier from the SSL certificate dropdownlist.

4)To test if the SSL is working, open your website (IE/firefox) and you should be prompted with "Security Certificate" warning message. I guess this is some sort of Anti-phishing check. Remember to use "https" and not "http"
On Internet Explorer:

On Firefox:

5) You can view your SSL certificate on lower right corner of you browser.


SSL on IIS 7 is as simple as above. GO MICROSOFT!!

IIS 7.0 HTTP Compression

While poking around with IIS 7 I stumbled upon on how easy it was to setup http compression to both static files and dynamic responses. One of advantages of compressing static files on IIS 7 is that it can be cached. So all request for the static file would be served from cache unlike the dynamic responses where the response data has to compressed on the fly (a performance hit on the server CPU).
To enable static compression do the following:
1)By default 'Compression' feature was not installed on my IIS so I had to navigate to Enable "Performance Features" on Windows features in Control Panel and select the "Static Content Compression".

2) Now to enable Compression for you site, follow the steps:
a.Open IIS Manager and navigate to the level you want to manage.
b.In Features View, double-click Compression.

c.On the Compression page, select the box next to Enable static content compression.

d.Click Apply in the Actions pane.

3)To verify if the static compression is working, I used Firebug (plugin for Firefox) and verified the repsonse headers.

IIS 7.0 Basic Authentication (Webserver security)

While working on my friends website, I was asked to provide some sort for Authorization feature for his personal video and picture directory/web-page. So while looking into IIS 7 feature list I decided to use "Basic Authentication" feature to provide a very simple authorization mechanism.

Basic authentication basically prompts the user to enter a valid user name and password to access content. This authentication system seems to be working on all major browsers and also seems to be working behind firewalls and proxy servers. These obvious reasons made it a good choice to restrict access to some, but not all, content on a server. However, the disadvantage of this authentication feature is that it transmits unencrypted passwords across the network!!

* Before we go into the typical setup we need to make sure the Basic Authentication is enabled on IIS. To install Basic Authentication we need to goto "Windows Features On/OFF" in Control Panel and manually enable it.



* To create a Authenticated account of the server goto Control Panel -> Administrative Tools - > Computer Management -> Local Users and Groups -> Users and right click and create a "New User".



* Once the new account is created, we need to give permission to the specific web folder to this particular user. So goto the web folder and right click and "properties" and navigate to Security Tab and Edit Permissions and then click "Add" users. In the popup window enter the new user name and click "Check names" to auto populate the user name.



* Now Open up IIS 7 and drill down to the web folder that requires the authentication. In the folder feature window, open the Authentication feature and enable the Basic Authentication feature as show in the screen shot below.





Walla...That's it. The web directory would now be prompted for UserName and Password.