| Security is always a concern and with the help of SSL and a few utilities, you can get a head start on securing the web servers. However, all this is fine and dandy but if you do not stay current with the latest Microsoft and Citrix hotfixes and security updates then you are still at high risk for attacks. With this in mind, I highly recommend utilizing tools like Microsoft Baseline Security Analyzer and hfnetchk.exe to analyze the servers for the latest hotfixes and other known vulnerabilities as discussed in the step 39 on the Tweak Windows 2000 / MetaFrame XP section of this document. There are also many other third party products that assist with this matter. The following procedures are defined in this section: How to install and configure IIS Lockdown Utility version 2.1 How to enable SSL on a NFuse IIS Web Server q How to create and install a certificate with a public Certificate Authority q How to create and install a certificate with Microsoft Certificate Server q How to Add the Certificate MMC snap-in q How to backup your SSL certificate q How to restore your SSL certificate How to force the use of SSL encryption on the NFuse web site. Note: It is far beyond the scope of this document to go in to any detail on, how to secure a web server BUT I believe it is very important and it is something that is very much over looked. I have started to add some content to this section but it is really up to us all. Please email me suggestion on how to improve this section. dbrown@dabcc.com.
Microsoft IIS Lockdown Tool is a wizard driven utility that works by turning off unnecessary features within IIS. For more information, please visit: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961. IIS Lockdown Tool requires Windows NT 4.0 running IIS 4.0 or Windows 2000 running IIS 5.0. Note: The following procedures do NOT work on a web server running the Citrix Web Console. I have not been able to successfully lock down an IIS server running the CWC with the IIS Lockdown utility and still have it function. If you have any suggestions please email: dbrown@dabcc.com and I will add them to the next release of MIAB. The following details how to install and configure the IIS Lockdown utility to work with NFuse 1.71. 1. Download the IIS Lockdown Utility from Microsofts web site 2. Start iislockd.exe and click Next 
3. Click the I agree radio button and click Next. 
4. Select Dynamic Web Server (ASP enabled) and check the View templates settings checkbox and click Next. 
5. Click Next. 
6. Click Next. 
7. Uncheck the Scripts checkup and click Next. 
8. Click Next. 
Note: If you will be using URLScan then you will need to be aware that the default URLScan configuration prevents any reference to .EXE and .DAT files on the IIS Web Server. What does this mean to an NFuse Classic deployment? It means that if you accept to install URLScan you will prevent anyone from having the ability to download the web ICA32T.EXE file from the NFuse Classic Application portal, it also stop the JAVA client from downloading the ICAPRINTERS.DAT file. In order to workaround this issue you will need to comment out the .dat extension in the urlscan.ini file on the server and reset IIS. 
As for the ICA32t.EXE file you either have to rename it (maybe .zip or .ex_) and change the associated name for the file in the \Nfuse17\Include\Install.vbs file or change the download link to point to the Citrix web site for the ICA client download - this requires a bit of editing in the same Install.vbs file. 9. Click Next. 
10. Click Next. 
11. Click Finish 
Internet Information Server Wizard creates two new local groups. Web Anonymous Users Web Applications. The local IUSR_COMPUTERNAME account is now member of Web Anonymous Users group. The wizard sets permissions using these two groups. NFuse requires that the IUSR_COMPUTERNAME account have at least modify rights to C:\Inetpub\wwwroot\NFuseIcons folder. If IUSR_COMPUTERNAME account does not have the right permission to the folder, then the user will not see the icon for the published application on the NFuse page.
I would imagine that most of the small to medium size deployments forget about or do not see a need to enable SSL certificates but they are wrong. Without SSL, username and password information is sent from the client to the web server in clear text that gives anyone the ability to compromises user credentials. Another misconception is that working with SSL certificates is a difficult thing. It is not. All you need to remember is that every web certificate (private key) needs a root certificate (public key). This is why I highly recommend using a certificate generated from a public CA. Certificates generated from a public CA already has a root certificate installed in most popular browsers thus requiring zero administration on the workstation. Without this, you would be required to manually install the root certificate on every device that would be connecting to the web server. The following is a list of just a few public Certificate Authorities. http://www.entrust.com http://www.geotrust.com http://www.instantssl.com/ http://www.verisign.com/products/site/ With this in mind you need to secure the NFuse web server(s) with an SSL certificate. The following procedures assist with the installation and maintenance of SSL certificates.
In order to obtain a SSL certificate from a certificate authority you must first generate a Certificate Signing Request (CSR) file for use in generating the web server certificate. When you have completed this process, you will need to send it to your CA or follow the CAs instructions for generating a certificate. The following defines how to generate a CSR file for a Microsoft Internet Information Server (IIS) 5.0 Web site. 1. Click Start click Programs click Administrative Tools click Internet Information Services. 2. Select the computer and web site (host) that you wish to secure. Right mouse-click to select Properties. 
3. Select the Directory Security tab and click the Server Certificate button under Secure Communications 
4. Click Next to continue 
5. Click the Create a new certificate radio button and click Next. 
6. Click the Prepare the request now, but send it later radio button. Click Next. 
7. At the Name and Security Settings screen, fill in the [friendly] name field for the new certificate. Select bit length. We recommend using 1024-bit length. Click Next. 
8. Enter an Organization name (The exact legal name of your organization. Do not abbreviate your organization name) and Organizational Unit (Section of the organization) and click Next. Note: The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?&. This includes commas. 
9. Enter the Common Name (The fully qualified domain name for your web server. This must be an exact match) 
10. Enter the Country/Region (The two-letter ISO abbreviation for your country), State/province (The state or province where your organization is legally located. Cannot be abbreviated) and City/locality (The city where your organization is legally located). Click Next. 
11. Enter a path and file name for the CSR. 
12. Verify your request and then click Next. 
13. At the Completing the Web Server screen, click Finish.
Note: DO NOT REMOVE the pending request or the .crt file will not match and your certificate will not install. 
14. Submit your CSR to the public CA of choice and wait to receive your SSL certificate. When you receive your SSL certificate from the CA you will need copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create a text file. The following documents how to install your new SSL Web Server Certificate. 1. Click Start Programs Administrative Tools Internet Services Manager 2. Right click on the web site you want to secure and click Properties. 
3. Click the Directory Security tab and click the Server Certificate button 
4. The Welcome to the Web Server Certificate Wizard windows opens. Click OK. 
5. Click the Process the pending request and install the certificate radio button and Click Next. 
6. Enter the location for the certificate file you received from the CA and Next. 
7. Verify the Certificate Summary to make sure all information is accurate.
Click Next. 8. Select Finish. Test your certificate by connecting to your server. Use the https protocol directive (i.e., https://web_server/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.
The following details how to create and install a SSL certificates with Microsofts Certificate Server. Note: You will need to install the Certificate Server in your domain 1. Click Start Programs Administrative Tools Internet Infromation Services Expand web server Right click on he web site (Default Web Site) you want to SSL enable Click Server Certificates button 
2. Click Next 3. Click Create a new certificate Click Next 4. Click Prepare the request now, but send it later Click Next
5. Enter the name of the web server (www.dabcc.com) in the Name: test box and select a Bit Length of at least 1024 and click Next 
6. Select or type your organizations name and your organizational unit and click Next. 
7. Enter the common name for your web site. This would be the FQDN such as www.dabcc.com Click Next 
8. Enter your geographical information and click Next 
9. Enter the filename and path for the certificate request file (c:\certreg.txt) click Next 
10. The next screen you are presented with informs you of the settings you have confiured for your approval. Verifiy everything is correct and Click Next. 11. Open Internet Explorer and browse to the the server you installed Microsoft Cerificate Server/certserv (http://db2kad2/certserv) 12. Click Request a certificate Click Next 
13. Click the Advanced request radio button and click Next 
14. Click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file radio buton click Next 
15. Click Start click Run type Notepad click File Open open the file you saved in step 9 Select the text inbetween the dashjesd and click Edit Click copy 
16. Copy the selected text in to the Base64 Encoded Certificate Request text box select Web Server from the Certificate Template drop down box click Submit 
17. Select the Base 64 encoded radio button click the Download CA certificate hyperlink 
18. Save the certificate with the name of the web server 
19. Right click on the certificate file you downloaded in step 18 and click Install Certificate 
20. Click Next 21. Click Next 22. Click Finish 23. Click OK 24. Return to the Internet Information Services management Console and click the Server Certificate button 
25. Click Next 26. Click the Assign an existing certificate radio button Click Next 27. Highlight the certificate you installed above and click Next 
28. Click Next 29. Click Finish 30. Click OK You have now successfully setup you web server for https (SSL) communication.
The Certificate Microsoft Management Console (MMC) console snap-in is not preconfigured. You will need to configure the Snap-in before you can perform any Export/Import functionality. The following details how to add the Certificates MMC snap-in. 1. Click Start click Run type: mmc click OK 2. Click Console Add/Remove Snap-in 
3. Click Add 
4. Highlight Certificates from the available snap-ins. Click Add 
5. Click the Computer account radio button and click Next. 
6. Select the computer you want to select and click Finish. 
7. Click OK You are now ready to use your new SSL certificates but first you will need to back it up for use if you will be reinstalling the server or moving it to another server with the same FQDN name. Now that you have installed you certificate it is very important to back it up. A backup is also needed if you want to move the certificate to a new server or if you will be reinstalling the OS the certificate resides on. Note: Remember certificates a specific to the device and operating system they were created. The only way to more or restore it is from backup! 1. Go to the Microsoft Management Console (MMC) and add the Cerficates snap-in as documented above. 2. Drill down to the Certificates folder. ( Console Root Certificates(Local Computer) Personal Certificates ) 
3. Right click on the Certificate All Tasks Export 
4. The Welcome to the Certificate Manager Import Wizard window opens Click Next. 
5. Click the Yes, export the private key and Click Next. 
6. Make sure the Personal Information Exchange- PKCS # 12(.PFX) radio button is selected and check the box Enable strong protection requires IE5.0, NT4.0 SP4 or above. Select Next. Warning: Make sure that the Delete the private key if the export is successful is NOT checked. 
7. Type and confirm your export password. Warning: If you lose the password, you might need to purchase another. 
8. Specify a name and path for the backup SSL cerficiate and click Next. 
9. Verify you have entered the information correctly and click Finish. 
You have now successfully backup your SSL certificate. I highly recommend making multiple copies and store them in different locations.
If you need to rebuild your web server or move the certificate to a new server with the same fully qualified domain name then you will need to backup and restore your SSL certificate. The following details how to restore a backup copy of a SSL certificate. 1. Double click on the backup SSL certificate 2. The Welcome to the Certficate Import Wizard open. Click Next to continue. 
3. Enter the location of the certificate you want to import and click Next. 
4. Enter the password that was entered when the certificate was backed up and click Next. 
5. Click the Place all certficates in the following store radio button and then click Browse. 
6. Click the Personal folder and click OK. 
7. Verify the settings are correct and click Finish. 
8. Click OK
9. Follow the procedures documented in How to Add the Certificates MMC snap-in except for step 5 where you will want to click the My user account radio button as shown below. Click Finish. 
10. Once you have finished adding the plug-in you will want to verify the certificate is located in the proper location. In most cases, you will find it located in the Current User Personal Certificates folder. If this is the case, you will need to drag it to the Certificates Personal Certificates folder. 
11. Click Start click Programs click Administrative Tools click Internet Services Manager 12. Right click on the web site you want to add the certificate too and click Properties 13. Click on the Directory Security tab and click the Server Certificate button. 14. Click Next. 15. Click the Assign an existing certificate radio button and click Next. 
16. Select the certificate you want to apply and click Next. 
17. Verify the certificate is correct and click Next. 
18. Click Finish. 
You are now ready to utalize SSL security of your web server.
Now that you have implemented a SSL certificate, you will want to force users to use SSL encryption for the NFuse portal. At the same time, you will be creating a friendlier name for the end-users to browse too. i.e., http://www.mycompany.com/portal. The following procedures document how to force the use of SSL on the NFuse web site without forcing the end-users from being required to enter https// prior to entering the web address. 1. Browse to the root of the default web site and create a folder with the name of the portal. Make the name something that end-users will remember because it will be used on a daily basis. 2. Click Start Run type: notepad and click OK 3. Type the following: 
4. Save the file as default.asp in the folder you created in step 1. i.e., c:\inetpub\wwwroot\portal 5. Click Start Programs Administrative Tools Internet Services Manager Browse to the original (top level) NFuse web site and right click on it and select Properties 
6. Click on the Directory Security tab and then click the Edit button. 
7. Click to check the Require secure channel (SSL) checkbox and then click the select the Require 128-bt encryption checkbox.. Click OK 
You are now ready to inststuct your end-users to browse the folder you created in step 1 and they will automaticly be redirected to the NFuse web site using SSL. |