Security

Step 1: The User Logs On

The user is prompted to enter some sort of user-authentication information on a page called Default.asp. The information is collected in an HTML form and posted to the server using an SSL session. Security problems at this stage are unlikely.

Issues to consider (see the figure below):

• With SSL, use the HTTPS protocol rather than HTTP. Failure to do so will yield a 403.4 error (SSL required).
• Make sure that the server certificate is not out of date, or the browser could reject it.
• If the server certificate is from a CA unknown to the browser, the browser might fail to connect to the server.
• If the name in the server certificate is not the same as the name of the server you wish to communicate with, the browser might fail to connect to the server.

  

• Problems can occur if the administrator has set up .asp files so that they won’t process HTTP POST methods. Although this is unlikely, with IIS 5.0 you can restrict HTTP method types if necessary, as shown in the following figure.

  

  Note   This functionality has changed from IIS 4.0, in which you select the HTTP verbs you do not want to allow. In IIS 5.0, you select the HTTP verbs you want to allow.

© 1997-1999 Microsoft Corporation. All rights reserved.