Using SSL to Encrypt LDAP and Global Catalog Queries

While Secure Sockets Layer (SSL) certificates are mainly installed on IIS
machines to encrypt traffic between a Web server and client, you can also use
SSL certificates to secure the Lightweight Directory Access Protocol (LDAP)
protocol. LDAP is used in Active Directory environments by applications that
need to query domain controllers for information stored in Active Directory.
Because LDAP is also utilized to query for sensitive or Active Directory
information such as user names, and network service locations; it is easy for
this information to be seized when no protection exists to secure it.

You can install SSL certificates on Active Directory domain controllers so that
SSL encryption can be utilized to encrypt the following:

  • LDAP queries and responses
  • Global catalog traffic

By default, unencrypted LDAP traffic uses TCP port 389. If SSL is enabled for encrypting LDAP queries and responses, then TCP port 636 is utilized. By default, global catalog queries use TCP port 3268. If SSL is enabled for
encrypting global catalog queries, then TCP port 3269 is utilized.

LDAP over SSL (LDAPS) is automatically enabled when a domain controller in a forest is configured as an Enterprise CA. Once the Enterprise CA is configured, the remainder of the domain controllers in the forest then enroll and install the certificate automatically. For encryption to work, both the client and server must trust the certification authority (CA) that issued the certificate. To make certificates useful or trusted, you have to obtain a certificate from a trusted entity, called a certification authority (CA). The entities that issue and manage digital certificates are called certificate authorities (CAs). You cannot forge certificates because the CA digitally signs the certificates, and the signature is applied to a hash of the certificate. In addition to each party trusting the issuing CA, the common name of the domain controller must be listed in the Subject field or Subject Alternative Name field of the certificate.

To configure the domain controller as an enterprise CA:

  1. Place the Windows Server 2003 CD-ROM in the CD-ROM drive.
  2. Click Install optional Windows components.
  3. Select Certificate Services in the Wizard Components page.
  4. When a message appears warning that the name of the CA server cannot be modified, click Yes to acknowledge the warning message. Click Next.
  5. In the CA Type page, select Enterprise Root CA. Click Next.
  6. Specify a common name for the CA.
  7. Specify a validity period for which certificates issued by the CA are valid. Click Next.
  8. You can accept the default location settings for the database file and database log. Click Next.
  9. Click Yes if an ASP warning message is displayed, to acknowledge the message.
  10. Click Finish.

Using SSL on Mail Servers

You can utilize the Secure Sockets Layer (SSL) protocol and Transport Layer Security (TLS) to enable secure communication by encrypting messages between a client and server, and between mail servers in a particular organization. TLS is a internet standard version of SSL and is very similar to Secure Sockets Layer version 3 (SSLv3).

Both the Simple Mail Transfer Protocol (SMTP) service and Post Office Protocol 3 (POP3) service are included in Windows Server 2003. To use these services, you merely have to install them. SSL encryption can only though be configured for SMTP.

How to install the Simple Mail Transfer Protocol (SMTP) service:

  1. Place the Windows Server 2003 CD-ROM in the CD-ROM drive.
  2. Click Start, Control Panel, and click Add/Remove Programs.
  3. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box.
  4. Click Application Server in the Windows Components dialog box, and then click the Details button.
    li>The Application Server dialog box appears next.
  5. Click IIS and then select the Details button.
  6. Click the SMTP Service checkbox.
  7. Click OK.
  8. Open IIS Manager.
  9. Verify that the SMTP Virtual Server node appears in the console tree.

How to create a SMTP virtual server:

  1. Open the IIS Manager.
  2. Locate the computer, right-click Default SMTP Server, select New and then Virtual Server from the shortcut menu.
  3. The New SMTP Virtual Server Wizard initiates.
  4. Enter a name for the SMTP site. Click Next.
  5. On the Select IP Address page, enter the IP address settings for the SMTP site. Click Next.
  6. Enter the path to the home directory for the SMTP server. Click Next.
  7. Provide the domain name for the SMTP server. Click Next.
  8. Click Finish.

You can configure various configuration settings for an SMTP virtual server by accessing its Properties window, and then using the various tabs to configure these settings. The security configuration settings that can be configured for SMTP reside on the Access tab are. For SSL/TLS encryption, the Secure Communication area of the Access tab is utilized. You can click the Certificate button to start the Web Server Certificate Wizard to obtain and install a server certificate on the SMTP virtual server. After the server certificate is installed, click the Communication button to require secure communications.

How to install an SSL certificate to enable SMTP encryption:

  1. Open the IIS Manager.
  2. In the console tree, right-click the Default SMTP Virtual Server node, and click Properties from the shortcut menu.
  3. Click the Access tab.
  4. In the Secure Communication area of the Access tab, click Certificate.
  5. The Web Server Certificate Wizard starts.
  6. Follow the prompts of the wizard to install the server certificate for the SMTP virtual server.

How to require all clients to use SSL encryption:

  1. Click Start, click All Programs, click Microsoft Exchange, and click System Manager.
  2. In the console tree, expand the Servers node, expand the appropriate Computer node, expand Protocols, and then expand SMTP.
  3. Right-click the SMTP virtual server, or the POP3 or IMAP4 virtual server, and select Properties on the shortcut menu.
  4. When the Properties window for the virtual server which you have selected opens, click the Access tab.
  5. Click the Communication button.
  6. Click the Require Secure Channel checkbox.
  7. If applicable, enable the Require 128-Bit Encryption checkbox as well.
  8. Click OK.

How to configure a messaging client to use SSL encryption. This illustration utilizes the Outlook 2003 client:

  1. Open Control Panel.
  2. Double-click Mail.
  3. Click E-Mail Accounts.
  4. The E-Mail Accounts Wizard starts.
  5. Click View Or Change Existing E-Mail Accounts. Click Next.
  6. Select the account for which encryption should be enabled, and click Change.
  7. On the Internet E-Mail Settings page, click More Settings.
  8. Switch to the Advanced tab.
  9. Enable the This Server Requires An Encrypted Connection (SSL) checkbox for those protocols that should have encryption enabled. Click OK.
  10. Click Next. Click Finish.

Using SSL on Computers Running SQL Server

You can also use SSL certificates to secure data generated by SQL Server queries. You can enable SQL Server SSL encryption on:

  • SQL Server computer: To encrypt all communication using SSL encryption on a particular server running SQL Server, you would need to enable SSL on the SQL Server computer. No connections would though be allowed for any clients not supporting SSL encryption. In order to enable SSL encryption on the SQL Server computer, you need to perform the following tasks:
    1. Install a server certificate.
    2. Configure all clients to trust the root CA of the certificate.
  • SQL Server clients: If you have to allow certain clients to connect to the SQL Server computer without using SSL encryption, and allow other clients to connect to the SQL Server computer only through using SSL encryption, then you would need to enable SSL encryption for individual clients.

How to manually configure clients to trust the root CA. This involves the following steps:

  1. Export the SQL Server certificate.
  2. Copy the exported certificates to each client by importing the certificate into each client’s trusted root CAs.

To export the SQL Server certificate:

  1. Log on the computer running SQL Server.
  2. Open Internet Explorer, and select Internet Options from the Tool menu to open the Internet Properties dialog box.
  3. Switch to the Content tab.
  4. Click Certificates.
  5. Switch to the Trusted Root Certification Authorities tab.
  6. Select the CA that issued the certificate to the SQL Server computer from the available list, and click Export.
  7. The Certificate Export Wizard launches.
  8. Click Next on the initial screen of the Wizard.
  9. On the Export File Format page, select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option.
  10. Enable the Include All The Certificates In The Certification Path If Possible checkbox. Click Next.
  11. On the File To Export page, enter a name for the file which will contain the certificate you are exporting. Click Next.
  12. Click Finish.

How to import the certificate into each client’s trusted root CAs:

  1. On the client computer running SQL Server, open Internet Explorer.
  2. Select Internet Options from the Tool menu to open the Internet Properties dialog box.
  3. Switch to the Content tab.
  4. Click Certificates.
  5. Switch to the Trusted Root Certification Authorities tab.
  6. Click Import.
  7. The Certificate Import Wizard launches.
  8. Click Next on the initial screen of the Wizard.
  9. On the File To Import page, choose the certificate which was exported from the SQL Server computer. Click Next.
  10. Select Automatically Select The Certificate Store Based On The Type Of Certificate.
  11. Click Next. Click Finish.
  12. Click Yes to add the certificate to the root store.
  13. Click OK. Click Close.

How to require SSL encryption on the computer running SQL Server:

  1. Click Start, click All Programs, click Microsoft SQL Server, and click Enterprise Manager.
  2. Find and right-click the computer running SQL Server, and then select Properties from the shortcut menu.
  3. On the General tab, click Network Configuration.
  4. Click the Force Protocol Encryption checkbox.
  5. Click OK.
  6. Click OK to restart the SQL Server service.