Thursday, October 18, 2007

How to secure Microsoft IIS with HP Select Access?

I was trying to perform a simple task - use HP Select Access to secure my local IIS server. Although procedure is straight-forward, it took me whole day to cross all the obstacles. Bellow is a practical guide of how to do it.

Step 1) Installation of LDAP server

My IIS runs on Windows Server 2003, and I have selected build-in Active Directory server as my LDAP.

I can verify LDAP installation by connecting to it using JXplorer (http://www.jxplorer.org).

JXplore connection screen:


JXplore connected to local Active Directory:


Step 2) Configuration of HP Select Access Administration Server

Connection to the local Directory Server:


Creation of Policy Data Location:



I left definition of the Identity Location for later and proceed with typical (default) configuration on the following screens.



Step 3) Configuration of HP Select Access Policy Validator

I selected "custom setup options" and proceed with default settings, except for "Audit Settings". For new installation I recommend debug mode and logging to a file.



Step 4) Configuration of IIS Enforcer

I selected "Custom Setup Options".
On the following screens I proceed with defaults. You can consider to enable SSO "Temporarily store passwords" option, depending on the requirements (I left it blank).

Selection of the "cookie domain" set to my local domain:


Selection of the SSO domains:


Similarly as with Policy Validator, I setup Audit Logging to file in DEBUG mode.

I selected my only Validator:


I proceed with defaults on the following screens.

Step 5) Configuration of SA Policy Builder (PB) - Identity Location

I configured SA with existing Windows users:




Step 6) Configuration of SA Policy Builder resources

On the resource tree I have added new folder "http" and created new resources, pointing at my local IIS server.



Step 7) Configuration of SA Authentication Service

I have selected NTLM as an authentication service:


Step 8) Assignment of Authentication service to the resource





Step 9) Configuration of the Authorization Matrix





Step 10) Final results

Properly configured IIS (SA enforcer) is prompting for UID/Password.
Since I have allowed access for all Domain Users, I can use any valid combination of UID/Password. Please note that UID has to be provided together with Domain Name, e.g. laptopnet.local\Administrator.



After successful authentication SA enforcer is creating cookie in the browser. The following requests are caring cookie and are positively authorized by SA enforcer.
Posted by at No comments:
Subscribe to: Posts (Atom)