IIS and SSL

I am stuck, a web designer with remote access to the server running WinNT2000 and IIS and not much tech support on the IIS end. Just set up a secure site that gives an error 404. I know the certificate is there - I can see it under Directories Security.

The properties are set to everyone read, scripts and executables are turned on and generally everything looks like it does for a normal web page.

Is there something special to do for a secure site (beside type in https)

Thanks a million if you can help
Kind Regards

Is the server set up to accept secure connections? I don't know much about IIS, but I know that in apache, you have to set up the config to point connections for SSL to a given docroot. If you don't you'll get an error. Seems like maybe something similar's happening on your end. If the server doesn't know where to send SSL connections, it can't serve the pages.

Thanks dhouston - the page finally came up - unfortunately I can't relay any great knowledge - just started clicking different options until something happened.......Now the big question -- the client wants a formmail reply from that site to be mailed to him encrypted. Ha. I think its impossible. Any ideas?

PGP is probably the most widely used encryption method for email.

http://www.pgp.com/

If you were on a linux platform, I could hook you right up by suggesting that you investigate piping formmail output to the gnupg program, which would encrypt the data in a format that can be unencrypted by PGP. Surely there's a comparable utility for the Windows platform. I believe the PGP project is currently dead, but you might look around for apps (try sourceforge.net) that from a Windows platform can receive data and encrypt it in this format without any manual user interaction. I also would think that Windows/IIS might have its own built-in tools for handling this sort of thing.

Of course you know that you should never send credit card numbers through email that's not encrypted, and you should even try to avoid sending them encrypted.

Thanks for the pointers. I will continue reading all this stuff. on how to install PGP on the WinNT server? Its a sendmail program, not blat, thats all I know.

Should I consider saving the form output on the server and having the client manage it that way or is that non-secure also?

Saving sensitive data in plain text on the server is almost as dangerous as sending it via email, and possibly moreso, depending on where you save it and what the permissions on the files are. The process for handling sensitive data should be roughly as follows:

1. Retrieve input from form POST.
2. Validate input for bogus results.
3. Encrypt any sensitive data.
4. Save results to a file, send them by email, or stick them in a database, with the sensitive stuff encrypted.
5. Delete any sensitive session vars, temp files, etc.

Typically using apache and whatever programming language I'm in the mood to use at the time, I read my input, pipe the sensitive parts to the system command "gnupg," encrypting the data to the appropriate email address (so it can be decrypted upon receipt), and then pipe the reformatted data to sendmail or into a database. I'm not sure how you'd emulate that in the GUI world of MS. Surely there's some executable or VB/ASP command that'll do the trick of encrypting for you. I'd start there first.

Ok, I've done a smidgin of legwork for you. Try these links. If they don't give you what you need, go a'googling and see what you can find:

http://www.itech.net.au/asptools/ASPPGP.htm

http://www.support.hostinguk.net/faq/pgpencrypt.htm

http://www.codeproject.com/useritem....asp?print=true

You are very kind I will get on this.

FYI I did get a reply back from PGP and they say " It sounds like you are looking for something automated. PGP has to be done manualy. There is no command line feature currently."

ASP PGP Components (These will allow you to ecrypt emails on the fly - i.e. automatically)

http://www.aspencrypt.com/ (component)
http://www.itech.net.au/asptools/ASPPGP.htm (component)
http://www.15seconds.com/issue/011002.htm (tutorial)

Is emailing the data really required? Locking down a machine and using SSL over HTTP is a fairly secure solution, which I'd opt for over emailing anyday.

Stumpy - what is 'locking down a SSL' ?

Surfergirl, I believe stumpy simply means that securing the data by transmitting your results over a SSL socket should be sufficient security. I'm not sure that answer really addresses the question, though. Using SSL over HTTP is great for collecting the data; what you're trying to do is to send it to the site owner, and SSL/HTTP won't help you any in this task unless you build a back-end application for retrieving the results.

spot on dhouston - I was referring to building a backend (a website hosted on the machine that allows the owner and any other authorised users to view/manipulate data). That is unless of course, the site owner actually requires the data on their home machine, for example. What exactly are you building?

Locking down a machine is basically a series of steps one takes to make a machine as a secure as possible. For a Win2K box, this includes ensuring all patches are installed, IP filtering is setup correctly, all non-essential services are stopped and uninstalled if possible, group policies are tightened, the machine is on a secure network, and behind a correctly configured firewall.

My reasoning behind my backend suggestion is that everything I've written above is usless unless the same steps are followed on ALL the users machines who will be recieving the emailed data. Emailing data out (encrypted or otherwise) essentially allows cracks to appear in your security, and large ones at that.

Thanks stumpy - Its private info thru a formmail. I have a programmer that will customize the CGI but after reading the lock-down scenario I believe my next step is looking for a new host running Unix or equiv.