Home > Articles > Microsoft > MCSA

This chapter is from the book

This chapter is from the book

MCSA Training Guide (70-218): Managing a Windows 2000 Network EnvironmentMCSA Training Guide (70-218): Managing a Windows 2000 Network Environment

Learn More Buy

This chapter is from the book

This chapter is from the book

MCSA Training Guide (70-218): Managing a Windows 2000 Network EnvironmentMCSA Training Guide (70-218): Managing a Windows 2000 Network Environment

Learn More Buy

Web Site Security

Web sites are made available through the Web service component of Internet Information Services. Because these Web sites contain data, they need to be secured at one level or another (even if that security is to leave everything unsecured).

The following list outlines ways in which you can control access to your Web sites:

  • Changing the TCP port

  • Changing access permissions

  • Changing execute permissions for scripts and programs

  • Changing authentication methods (including enabling and disabling anonymous access)

  • Adding IP address and domain name restrictions

  • Adding server certificates for Secure Socket Layer (SSL) transmissions

  • Authenticating users with client certificates

These topics are discussed in the following sections.

Controlling Web Site Access Through the TCP Port Number

Most common TCP/IP protocols have specific TCP ports associated with them, and the software that enables you to use these expects the ports to conform to the standard defaults. However, similar to a TV channel, these ports can be changed. If a certain set of data is being broadcast on a certain port, and that port is not the default port for that utility (such as port 80 for HTTP traffic), the port must be determined to access the data. This might sound trivial, but because more than 65,000 TCP ports are available to choose from, you can hide your site from most casual users by choosing any TCP port other than 80.

Of course, this is not very robust security because if someone knows which port you are running on, that person will be able to return to your site. In addition, if you have a port sniffer or security scanner, you could easily determine the port that a particular Web server is running on. However, it is a good way to hide information from people who do not know what they are looking for.

If you change the TCP port for your Web site (to 8080, for example), any browser client who wants to access your site will have to manually type in the TCP port number along with the address of your site. For example, if your site was http://www.mydata.com and you were using TCP port 8080, a browser client would access your site with the following URL:

http://www.mydata.com:8080

Step By Step 3.5 showed you how to determine and change a Web site's TCP port.

Controlling Web Site Access Through Access Permissions

One of the most common ways to secure a Web site is to change the global settings for what all users can do. By making a Web site read-only, for example, you ensure that no one will be able to accidentally or purposefully make changes to the content of your site.

As you can see in Figure 3.10, four access rights can be controlled for the entire site: Script Source Access, Read, Write, and Directory Browsing.

Figure 3.10Figure 3.10 Web access rights can be used to restrict the file-level permissions of the files on a site.


Enabling script source access allows users to see the source code behind the Active Server Page they are currently viewing. This would enable users to access JavaScript and VBScript source code. That source code might contain sensitive information, such as the location of the database server or passwords that would be inappropriate for anyone other than the development team to have.

Read access allows users to look at the content of the Web page and download files. If read access is not enabled, no users will be able to access the content on the site.

Write access enables users to upload content to the site. This includes being able to modify the HTML or script content as well as placing new files into the site folder on your server.

Don't Let Others Supply the Code You Run

It's a bad idea to allow both execute access and write access to a directory. This enables a person to upload and execute potentially destructive programs.

Directory browsing allows users to see a file listing in your Web site's main folder. This would allow a user to know what the names of your files are and to navigate through your file path to subfolders in your Web site. If this is not enabled, users must connect through the HTML pages you have set up on your Web site. If no default HTML page has been configured, browser clients will not be able to navigate your Web site at all.

You will need to make choices about which of these rights you want to enable for your user community. Remember that these rights are global across all users of your Web site; they will not discriminate. If you want to allow some users to upload files and not others, you must give Web site rights to write and then control access using NTFS permissions on the local files or folders themselves.

You will notice in Figure 3.10 that a logging setting is also available. This setting, which is usually enabled, allows you to log all user interaction with this site. This log enables you to monitor who is connecting to your site and what she is doing. The logging options (including the location of the log file) can be configured on the Web Site tab of the Web site's Properties dialog box.

Step By Step 3.10 shows you how to adjust the site access permissions.

STEP BY STEP 3.10: Changing Site Access Permissions

  1. From the Start menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. In the IIS Console window, you can locate your Web site by expanding Console Root, Internet Information Services, and Your Server. When you see your Web site in the tree under the name of your server, right-click it and select Properties from the menu that appears.

  3. In the Web Site Properties window, click the Home Directory tab. There you see check boxes under the Local Path field that you can use to set site access permissions. Select or deselect the appropriate rights.

  4. Click OK to update the Web site's properties.

Controlling Web Site Access Through Execute Permissions

Another way to control site access is through execute permissions. Execute permissions (shown at the bottom of Figure 3.10) define what type of scripts or executables a browser client can invoke on your site. The execute permissions include None, Scripts Only, and Scripts and Executables.

If you select None, no scripts will run on this Web site. This is obviously problematic because it means that Active Server Page scripts will not run.

If you select Scripts Only, Active Server Page scripts will run on this Web site. However, executables—including ASAPI DLLs and CGIBIN applications—can't be invoked.

If you select Scripts and Executables, a user will be able to invoke any script or executable she can get at. Although this provides a lot of functionality to the user, it is the most dangerous option in terms of security.

Step By Step 3.11 demonstrates how to change a site's execute permissions.

STEP BY STEP 3.11: Changing Site Execute Permissions

  1. From the Start menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. In the IIS Console window, you can locate your Web site by expanding Console Root, Internet Information Services, and Your Server. When you see your Web site in the tree under the name of your server, right-click it and select Properties from the menu that appears.

  3. In the Web Site Properties window, click the Home Directory tab. Click the Execute Permissions drop-down arrow to see the list of permissions (see Figure 3.11). Select the level of script execute privileges you want to give out for your site.

    Figure 3.11Figure 3.11 Execute permissions control the execution of programs and scripts on your Web server.


  4. Click OK to update the Web site's properties.

Controlling Web Site Access Through Authentication Methods

One of the strengths of using IIS as a Web server on a Windows 2000 Server is the capability to integrate Windows 2000 computer or domain security into Web access. Essentially, you have the ability to force users to provide names and passwords from the local machine accounts or from Active Directory to access Web sites. This eliminates the need to create your own security model.

Web authentication occurs at two levels: anonymous and authenticated. Anonymous access is the first method attempted when a user tries to connect to any Web site. If anonymous access is disabled, or if a Web user tries to access a function that can't be performed by an anonymous user, authenticated access is attempted. Anonymous access does not require a password. However, authenticated access always requires confirmation of identity, which can be in the form of a password challenge. But security information can be passed transparently (such as integrated Windows access or with client certificates, both of which are covered later).

Under IIS, anonymous access is mapped to a user account. Therefore, any attempt to access a Web site anonymously treats the user as though he were logged in as the anonymous IIS account. By default, the name of this account is IUSR_servername. That means that if your server were called Green, the anonymous user account would be called IUSR_Green unless you changed it to something else.

One way of securing your Web site is to disable anonymous access to the whole site. Then, for any attempted access, the browser client is prompted for a name and password to access the site. Another way to secure your site is to put NTFS security locally on some or all of your Web site. If you do this, for any attempted access of files or folders that do not allow anonymous access, a name and password is required (whether the user is prompted for it depends on the type of authentication you require and his other authentication information to the Web server).

If you do require that a user log on to your site (or some portion thereof), you can set the type of authenticated access you want to require. Three levels exist: basic authentication, digest authentication for Windows domain servers, and integrated Windows authentication.

Basic authentication is the least secure but most accessible across a variety of browsers. This type of authentication sends all login information in clear text. Unfortunately, if someone is watching your logon using a packet sniffer or other network analysis tool (Windows 2000 or NT Network Monitor, for example), she might be able to capture your username and password as you log on. Basic authentication is supported by all Web browsers, including non-Microsoft browsers. Although sending passwords in clear text is a security risk, this can be overcome by using server certificates and SSL (covered later).

When a user logs in using basic authentication, the user's combined name and password are checked against the directory IIS has been told to use (either local or an Active Directory for the domain). If the name and password pass authentication, local security is checked on the files the user is trying to access, and if the username has appropriate access in the ACL, access continues. If the name and password do not pass authentication, however, the user is prompted repeatedly until he cancels the login operation. If the username is not authorized to access the resource it is trying to access, it will pass authentication but be given an Access denied message.

Make the Message Meaningful

The exact message that is returned to the client can be controlled by setting custom errors for the Web site.

A second—and more secure—type of authentication is digest authentication. It is similar to basic authentication; however, it uses a hashing algorithm to encrypt data sent between the browser and server. This hashing algorithm is classed as one-way in that it can be used to encrypt but not decrypt the data. This type of authentication works only on browsers that support the HTTP 1.1 standard and can respond to the requests the IIS server is making. At this point, only IE4.x and greater support this authentication method. Although this method has some advantages over basic authentication, it has a major security flaw in that the password must be stored in clear text on the domain controller for the reverse encryption to be processed and compared. As a result, it is rarely used.

Configuration for Digest Authentication

Two things are required for this type of authentication to work. First, the IIS server must be a member of a domain. Second, each user who needs to authenticate through a browser must have her account to store the password using reversible encryption. To do this, that setting must be enabled in the properties for the user (Account tab), and then the password for the user must be reset.

If digest authentication is configured and either the user's browser is not capable of using this type of authentication or the user's account has not been configured properly (as described in the Note titled "Configuration for Digest Authentication"), the authentication will fail.

The final authentication method is integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication). This method uses special encryption protocols to secure the authentication process. Unlike the other two authentication methods, IWA does not necessarily prompt for a username and password. Instead, it checks the Windows logon currently in force on the client's machine. If this can be determined and authenticated, the user might never know that any restrictions are in place on the site. If the user does not authenticate or a Windows logon name can't be determined, the browser displays a logon dialog box.

The benefit of this authentication method is its security. The disadvantages are that it works only on Internet Explorer 2.x or later (no Netscape support exists). This type of authentication is best used in an intranet environment where the browser type can be controlled.

Step By Step 3.12 demonstrates changing the type of user authentication required by your Web server.

STEP BY STEP 3.12: Changing Site Authentication Methods

  1. From the Start menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. In the IIS Console window, you can locate your Web site by expanding Console Root, Internet Information Services, and Your Server. When you see your Web site in the tree under the name of your server, right-click it and select Properties from the menu that appears.

  3. In the Web Site Properties window, on the Directory Security tab, click the Edit button in the section labeled Anonymous Access and Authentication Control (see Figure 3.12).

    Figure 3.12Figure 3.12 You can configure access authentication from the Directory Security tab of the Properties dialog box.


  4. From the Authentication Methods dialog box, select whether you want anonymous access to be configured (see Figure 3.13). If you do, you can choose to modify the account used for anonymous access or its password. To do that, click the Edit button and type in a new account name and password.

    Figure 3.13Figure 3.13 You can configure anonymous access and any of three authentication methods.


  5. If you want to enable basic authentication, select the appropriate check box. When the Internet Service Manager warning comes up about the nature of basic authentication, click Yes to continue. Click Edit to define the location of the accounts used to authenticate Web users. If you leave it at the default, the local accounts for the server will be used. However, you can also enter a domain name to access Active Directory to use for authentication; both can't be used.

  6. If you want to enable digest authentication or integrated Windows authentication, select the appropriate check box.

  7. Click OK to update the Web site's properties.

    Multiple Authentication Methods

    If you select more than one authentication method, after attempting anonymous access, IIS attempts to authenticate using the most secure method (integrated Windows) first. Then, it tries less secure methods until all avenues of authentication have been exhausted.

Controlling Web Site Access Through IP Address and Domain Name Restrictions

You can control the access people have to your Web site to include only people with certain IP addresses (from within your company, for example) or to exclude people with certain addresses. By using IP address and domain name restrictions, you can ensure that even if someone obtains a username and password that is valid, that person can still be prevented from accessing data. This could enable company employees to access the intranet when they are at their desks (with known TCP/IP addresses) but prevent them from accessing the intranet from home (where they have unknown or unauthorized TCP/IP addresses).

When you restrict based on IP addresses or domain names, you can configure single IP addresses, multiple addresses based on a network ID and subnet mask, or addresses falling into a certain domain. If you choose to restrict based on domain (for example, to exclude all users whose IP addresses are registered to BADGUYS.com), your IIS server must do a reverse lookup on each IP address that traffic comes from. This is always very time and resource intensive and might not yield accurate results. Caution should be exercised when choosing this method.

In case you missed it, just because you can restrict access based on the client's domain affiliation doesn't mean that you should. The additional overhead of performing a reverse name lookup on an IP address is generally not justifiable.

Disallowing accesses using this method has precedence over all other access a user might have been given to the Web site.

This method for changing site address and name restrictions is covered in Step By Step 3.13.

STEP BY STEP 3.13: Changing Site IP Address and Domain Name Restrictions

  1. From the Start menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. In the IIS Console window, you can locate your Web site by expanding Console Root, Internet Information Services, and Your Server. When you see your Web site in the tree under the name of your server, right-click it and select Properties from the menu that appears.

  3. In the Web Site Properties window, on the Directory Security tab, click the Edit button in the section labeled IP Address and Domain Name Restrictions (see Figure 3.14).

    Figure 3.14Figure 3.14 You can configure IP address and domain name restrictions from the Directory Services tab of the Web site's Properties dialog box page.


  4. In the IP Address and Domain Name Restrictions dialog box, select whether you want to implicitly grant access except to listed addresses or to implicitly deny access except to listed addresses (see Figure 3.15). Then click the Add button.

    Figure 3.15Figure 3.15 You can explicitly grant or explicitly deny access by IP address or domain name.


  5. From the Deny Access On or Allow Access On dialog box, as shown in Figure 3.16, select Single Computer and enter the IP address, select Group of Computers and enter the network address and subnet mask, or select Domain Name and enter the domain name. Then click OK to exit.

    Figure 3.16Figure 3.16 You can deny access by a specific IP address.


  6. Click OK until you exit back to the IIS Console.

Securing Web Access Using Certificates

Certificates are a final way of securing Web access and authenticating users. In Windows 2000, the use of certificates is pervasive, as much of the security uses certificates in one way or another. As a result, the discussion of certificates here will be restricted to their use in Web transactions.

The idea of the certificate as it applies to Web transactions is that an entity (server or client) proves its identity to another using a piece of identification—the certificate. The passport provides an excellent example of how certificates work. As an American citizen, I have been issued an United States passport that verifies that I am a certain person and that I am a citizen of the United States. When I cross the border into Canada, I can show my passport to the Customs official as proof of my identification and citizenship. This passport is deemed to be valid only if two conditions are met: The passport must be authenticated by the United States government (which is done through special security coding on the passport documents), and the Customs official must recognize the United States government as being trusted to make assertions about me. If the passport is deemed to lack authenticity or if the Customs official does not recognize the United States government as a trusted authority in passport issues, my passport is not acceptable for the purposes of identification.

Computer certificates work in much the same way a passport does. A server certificate issued to a user, computer, or Web server identifies that server as being a particular entity. This certificate must be authenticated by a third party (not me and not the server itself). This authenticating party is referred to as the Certificate Authority (CA). An example of a CA that is commonly used is VeriSign.

The authentication is only half of the requirement to create a trusted environment; my Web browser must trust VeriSign to make assertions about servers. Fortunately, all current browsers are configured to trust certain so-called root CAs, of which VeriSign is one. After my browser and the Web server have verified that the server is who it says it is, a security negotiation can take place, thus enabling encrypted transmissions to occur.

Client certificates, on the other hand, are used to verify the identity of a person using a Web browser. Just as a server (computer) certificate allows a server to be identified, a client certificate allows a browser client to be identified. As with a server certificate, a client certificate must be authenticated by a third party, and that third party must be trusted by the server. If that is the case, the identity of a browser client can be established without sending a password over the Internet; all that is sent is the certificate information that identifies the particular user. This identification is made possible by incorporating the client certificate into the Web browser and then exporting the certificate to the IIS server. The certificate is then mapped to an account recognized by the IIS server and, when the certificate is seen in the future, it is recognized as being verification of a specific user. From that point, all permissions that apply to the user are applied to the holder of the certificate. Either certificates can be mapped on a one-to-one basis with each being mapped to a unique user account, or a group of certificates can be mapped to a single account that has access to a Web site or set of data.

The use of server certificates enables encryption of Web transmissions by way of Secure Sockets Layer (SSL). The use of client certificates enables password-free authentication of browser clients. These two certificate uses can be independently utilized, or they can be utilized together.

Certificates can be purchased from a third party or created by the Windows 2000 Certificate Services (a product that is a part of Windows 2000). For Internet applications, third-party certificates are most often used because all browsers trust a default set of third-party certificate vendors and, therefore, no browser configuration is required to trust the certificates. For intranet applications, you can use the Windows 2000 CA, but all your browsers must be configured to trust your root certifier.

Requesting an SSL Certificate

The most difficult process of getting an SSL certificate installed on your Web server is getting the certificate in the first place. There are several reasons for this difficulty:

  • Establishing identity—In most cases you must have an outside party actually provide the SSL certificate so browsers will trust it. This means establishing your identity in a "positive" way to the certification authority.

  • Delay—Because a third party is involved there is a delay. Most professionals are used to being able to complete activities without the involvement of third parties, and the delay they cause can be frustrating.

  • Multiple standards—A few standards are used to make certificate requests. Each certificate authority might require different request formats.

Despite these challenges, requesting and receiving a certificate is not particularly difficult. Step By Step 3.14 shows you how to generate the request.

STEP BY STEP 3.14: Generating a Certificate Request

  1. From the Start menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. Click the plus sign to the left of the computer name.

  3. Right-click one of the Web sites. (It doesn't matter which one.)

  4. Click the Directory Security tab.

  5. Click the Server Certificate button.

  6. Click the Next button in the IIS Certificate Wizard to bypass the Welcome screen.

  7. Click the Next button again to accept the default and create a new certificate.

  8. Select the option to Prepare the Request Now, but Send It Later. You can select Send the Request Immediately to an Online Certification Authority if you're willing to send your request to one of the Microsoft-selected certification authorities.

  9. Click the Next button to move to the next step, as shown in Figure 3.17.

    Figure 3.17Figure 3.17 The longer the key, the harder it is to break.


  10. Enter the name for the certificate. The default will be the name of the Web site. You should make this an externally meaningful name. It will appear in the certificate.

  11. Set the bit length of the key. The more sensitive the information that will be transmitted, the longer the key length should be.

  12. Click the Next button to move on to the next step.

  13. Enter the organization and organizational unit information. This information will be encoded in the certificate and available to any user who wants to review the certificate. Be sure this information is externally meaningful. For instance, XYZ Group probably won't be helpful to a consumer reading the certificate.

  14. Click the Next button.

  15. Enter the site's DNS name, called a common name in the wizard. Note that any difference between what you enter here and how the browser refers to the site will be flagged to the user. Therefore, if you enter http://www.thorprojects.com and the user enters thorprojects.com in her browser, she will receive a warning message.

  16. Click the Next button.

  17. Enter the country, state, and city. This information is also visible to the browser. You might want to use the location information of the nearest large city rather than the name of the suburb that you are actually in.

  18. Click the Next button.

  19. Enter the name of the certificate request. You can specify any name you want—as long as you remember what it is.

  20. Click the Next button twice to generate the file.

  21. Click the Finish button to complete the wizard.

  22. Click the OK button to close the site properties.

  23. Close the Internet Information Services window.

Now that you have the request file, it's time to send it off to a certification authority. In the next section you'll learn how to issue your own certificate if you have certificate services loaded. This will enable you to learn how to issue certificates. Normally, you'll want to send your request off to one of the public root certificate authorities.

Issuing Your Own SSL Certificate

If you install certificate services on a server within your enterprise, you will be able to issue your own certificate. Although your certificate won't be trusted by Web browsers, by default you can use it to test SSL in your own environment.

The process for submitting a certificate request is shown in Step By Step 3.15. If you have the appropriate administrative authority and the certificate authority your referring to is a part of Active Directory, you'll be assigned the certificate immediately.

STEP BY STEP 3.15: Submitting a Certificate Request to a Windows 2000 Certificate Authority

  1. Log on with an administrative account.

  2. Open Internet Explorer.

  3. Enter http://servername/certsrv in the address bar.

  4. Confirm that the Request a Certificate option is selected, and then click the Next button.

  5. Select Advanced Request.

  6. Click the Next button.

  7. Select Submit a Certificate Request Using a Base64 Encoded PKCS#10 File or a Renewal Request Using a Base64 Encoded PKCS#7 File. This is the file you created in the previous section.

  8. Click the Next button.

  9. Open the certificate request file in Notepad.

  10. Select all of the text and copy it to the Clipboard.

  11. Close Notepad.

  12. Paste the contents of the request file into the Saved Request box.

  13. Change the Certificate Template to Web Server.

  14. Click the Submit button.

  15. If you have administrative privileges, you'll be issued a certificate immediately. Click Download CA Certificate, and save the resulting file. If the certificate isn't automatically authorized, you must refer to the Microsoft documentation on how to approve pending certificate requests.

Now you have a file that contains the certificate. The next step is installing it on your Web server.

Implementing an SSL Certificate

The process of implementing the SSL certificate is comparatively much more straightforward than requesting the certificate in the first place. Step By Step 3.16 shows you how to implement the certificate you requested.

STEP BY STEP 3.16: Installing a Certificate

  1. From the Start Menu, select Settings, Control Panel, Administrative Tools, Internet Services Manager.

  2. Click the plus sign to the left of the computer name to expand the list of Web and FTP sites.

  3. Right-click the Web site you want to install the certificate to, and select Properties from the context menu.

  4. Click the Directory Security tab.

  5. Click the Server Certificate button.

  6. Click the Next button to move past the welcome step.

  7. Click the Next button to confirm that you want to process the pending request and install the certificate.

  8. Enter the name of the file in the Path and Filename box. You can browse to the certificate file if you don't remember the name of the file.

  9. Click the Next button to continue to the confirmation step.

  10. Click the Next button to confirm that the certificate is correct.

  11. Click the Finish button to complete the wizard and install the certificate.

  12. Click the OK button to close the Web site properties.

  13. Close the Internet Information Services window.

The process of installing the server certificate might involve more than a few clicks, but most of those are just confirming that the certificate is correct. When you installed the certificate, Windows 2000 automatically enabled SSL for the Web site and set the SSL port to the default SSL port of 443.

Enabling Client Authentication Using Client Certificates

Client certificates are an alternative form of authentication to the ones described in the previous sections. What sets this form of authentication apart from the others is that no passwords are required by the client when a browser connects to a site requiring authenticated access. Instead, the browser sends certificate information the Web server has mapped to a certain user account. Using this method, any browser can be used to connect to a site requiring authentication, without having to allow clear-text passwords and without requiring the user to actually log on using a username and password.

The steps for configuring authentication using client certificates are straightforward. First, the server must have a certificate installed issued by the same CA that the clients' certificates are coming from. This enables you to set the configuration to allow for client certificates for authentication.

Next, your clients must have certificates installed on their browsers. Similar to server certificates, these certificates need to be authenticated by a trusted source. If the browsers are connecting to an intranet, you could use the certificate services to generate a root certifier and client certificates. If the connection is to an Internet site, the clients will most likely use a third-party certificate vendor, such as VeriSign.

Finally, after the clients have certificates installed, these must be exported to the Web server and mapped to user accounts. After the mapping has occurred, the server can authenticate the client as being a particular user simply by being shown the client certificate. When the user is authenticated, access to resources is the same as that of any other authenticated user.

Step By Step 3.17 shows how to enable client certificates for authentication.

STEP BY STEP 3.17: Configuring a Web Server to Accept Client Certificates for Authentication

  1. Install a server certificate on your Web server (see Step By Step 3.16).

  2. From the properties of the Web site for which you want to enable client certificate authentication, click the Directory Security tab.

  3. On the Directory Security tab, click Edit in the Secure Communications section.

  4. In the Secure Communications dialog box, you can select Accept Client Certificates or (if SSL has been enabled) Require Client Certificates. Accept Client Certificates allows but does not require a browser to attempt to authenticate with this Web server using a client certificate. Require Client Certificates forces a browser to attempt to authenticate with this Web server using a client certificate; failure or lack of a certificate causes authentication to fail.

  5. In the Secure Communications dialog box, select the check box labeled Enable Client Certificate Mapping, and then click the Edit button next to it. You can then add mappings between exported client certificates (provided by the clients) and user accounts (one-to-one mapping), or you can add a mapping between a root certifier and a user account (many-to-one mapping). A mapping between a root certifier and a user account ensures that anyone authenticating with a certificate from a specific root certifier will be given the same access on the Web site.

  6. In the Secure Communications dialog box, you can also enable a Certificate Trust List (CTL). A CTL is a list of certifiers you trust. If a client tries to authenticate with a certifier not in the CTL, that certificate is rejected.

  7. When configuration is complete, click OK to exit.

Troubleshooting Web Site Access

Web site access is about two things: access to a running server and security.

Lack of access because of security issues revolves around all the topics that have been covered in this section. Look for TCP port incompatibilities and fix them if they are discovered.

If a user is getting Access denied messages, check for authentication methods and underlying NTFS permissions. In addition, check for client certificates and see whether they are required. IP address restrictions also can cause these types of messages, so check for these, too.

If a user can get to your site but can't do what is desired (such as upload files or execute scripts), check for those permissions and adjust them if necessary.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020