Publicidad
Idiomas disponibles
Idiomas disponibles
Although authentication is similar to conventional forms of identification, certificates enable Web
servers and users to authenticate each other before establishing a connection to create more secure
communications. Certificates also contain encryption values, or keys, that are used in establishing an
SSL connection between the client and server. Information, such as a credit card number, sent over
this connection is encrypted so that it cannot be intercepted and used by unauthorized parties.
Two types of certificates are used in SSL, and each type has its own format and purpose:
•
Client certificates—Contain personal information about the clients requesting access to your site,
which allows you to positively identify them before allowing them access to the site.
•
Server certificates—Contain information about the server, which allows the client to positively
identify the server before sharing sensitive information.
Server Certificates
To activate your Web server's SSL 3.0 security features, you must obtain and install a valid server
certificate. Server certificates are digital identifications containing information about your Web server
and the organization sponsoring the server's Web content. A server certificate enables users to
authenticate your server, check the validity of Web content, and establish a secure connection.
The server certificate also contains a public key, which is used in creating a secure connection between
the client and server.
The success of a server certificate as a means of identification depends on whether the user trusts the
validity of information contained in the certificate. For example, a user logging on to your company's
website might be hesitant to provide credit card information, despite having viewed the contents of your
company's server certificate. This might be especially true if your company is new and not well known.
For this reason, certificates are sometimes issued and endorsed by a mutually trusted, third-party
organization, called a Certification Authority. The certification authority's primary responsibility is
confirming the identity of those seeking a certificate, thus ensuring the validity of the identification
information contained in the certificate.
Alternatively, depending on your organization's relationship with its website users, you can issue your
own server certificates. For example, in the case of a large corporate intranet handling employee payroll
and benefits information, corporate management might decide to maintain a certificate server and
assume responsibility for validating identification information and issuing server certificates.
Microsoft Baseline Security Analyzer
Use the Microsoft Baseline Security Analyzer (MBSA) to search for any security vulnerabilities. MBSA
scans Windows-based servers for common security misconfigurations. The tool scans the operating
system and other installed components, such as Internet Information Services (IIS). MBSA also checks
systems for missing security patches, and recommends critical security patches and fixes.
54
Security Recommendations
Publicidad
