Securing Your IIS Server With Forward Secrecy

Security is a big deal nowadays. Let's be honest, it should have always been a big deal. With the plethora of data breaches in the news, people are starting to take notice and secure things properly.

The first step in making sure your website is secured properly is securing the web server it's hosted on. Here are steps to do that if your running your own IIS web server and are planning to use an SSL cert. This should work for IIS 7.5/8.0/8.5.

Testing Your Server

  1. Run your server through this awesome [SSL Server Test] (https://www.ssllabs.com/ssltest/) provided by Qualys. You can enter a URL of a site on the server, or an IP address. Make sure to check the "do not show results" box if you don't want the world to see your results (I recommend this, at least on the first attempt so you don't expose yourself as vulnerable).
    SSL Server Test

  2. Review your results.
    SSL Server Test Results

    The goal is to to get an A or higher. Don't worry if you don't hit that on the first attempt. The SSL test will provide plenty of feedback on what needs to be fixed.

Securing Your Server

If your test results didn't come back as favorable as you'd hoped, here are a few options on how to fix those issues.

Caution: All of these options could potentially cause problems if done incorrectly. Proceed at your own risk!

  1. Google the issues that come up and manually edit the registry (not recommmended). That doesn't sound like much fun...let's have a look at some other options.
  2. Download and run IIS Crypto. This free tool allows you to enable/disable security settings with a few clicks using a GUI.
  3. Use this powershell script by Alexander Hass to set the security settings to the current best practices.

Displaying DNN Username in Skin

I'm using the DNN AD authentication provider on several sites and we needed to disable the ability for the user to logout of the site, as that can cause issues with the AD auto login feature.

First, I removed the login code from the .ascx skin file (usually located at Portals/_default/Skins/SKINNAME/SKINFILE.ascx). Here's the code that needs to be commented out or removed:

    <div id="Login">
        <div class="user_position">
            <dnn:USER ID="dnnUser" runat="server" LegacyMode="false" />
            <dnn:LOGIN ID="dnnLogin" CssClass="LoginLink" runat="server" LegacyMode="false" />
            <dnn:LANGUAGE runat="server" id="dnnLANGUAGE"  showMenu="False" showLinks="True" />
        </div>
    </div>

Now that the login control is gone, the user can't logout, which is excatly what was needed. However, I still wanted to display the logged in users name in the header so they know that they are logged in.

  1. First register the skin text control by adding the following code to the top of your skin ascx file. You can add it right below the other registers at the top of the file
<%@ Register TagPrefix="dnn" TagName="TEXT" Src="~/Admin/Skins/Text.ascx" %>  

` 2. Now add this code where you'd like their username to show up:

<dnn:TEXT runat="server" id="dnnTEXT" CssClass="MyTitleHeaderText" replaceTokens="True" ShowText="[User:Username]" />  

Redirecting Your Ghost (Pro) SSL Blog

If you've read this article on how to setup Ghost with free SSL then there are only a few steps left to make sure your SSL enabled Ghost blog is setup to handle all request (http, https).

The following steps assume that you've following all the instruction from the link above, including setting up your custom domain and forcing SSL in your blog settings (found at https://ghost.org/blogs/yourdomain/).

  1. In your cloudflare account, go to Page Rules
  2. In the URL Pattern box enter https://www.yourdomain.com/*
  3. Now turn on Forwarding and enter https://yourdomain.com/$1
  4. Finally set Forwarding type to Permanent - 301

Now repeat the steps 1-4, but just for http instead of https on both of URLs used

This setup is for forwarding all requests to https://yourdomain with no www. Just flip the forwarding rules above and set your custom domain to the www version in your ghost blog settings if you prefer the www on your domain.

IIS 8 - Redirect HTTP to HTTPS

I came across the need to redirect users who typed in http://site to the secured version https://site. Below are the steps on how to accomplish this.

  1. Make sure you've got the URL rewrite module installed in IIS. If you aren't sure if you do or not, you'll find out quickly when you can't find "URL Rewrite" in the steps below. Here are downloads for the 32bit version or the 64bit version.
  2. Select your website in IIS and then click on the "URL Rewrite" option in the features pane
  3. Once URL Rewrite screen is open, click the "Add Rules..." link in the right hand pane and enter the details as shown below.

  4. Select Blank Rule from the inbound rules section.

  5. Give it a descriptive name
  6. Match URL section:
    • Set Requested URL to Matches the Pattern.
    • Set Using to Regular Expression
    • Set Pattern to (.*)
  7. Conditions section. Click Add
    • Set Condition Input to {HTTPS}
    • Set Check if Input String to Matches the Pattern
    • Set Pattern to ^OFF$
    • Click OK
  8. Actions section

Now all request to that site should be 301 redirected to the https version of the site.