Adjust server settings, Disable token caching to prevent attacks, Adjust server settings 34 – Google Postini Directory Sync Configuration Guide User Manual

34

Configuration Guide for Directory Sync

Enable SSL

Now that you have configured basic authentication, you can enable SSL for
connections to the machine hosting your DSML Server.

1. In the Default Web Sites Properties dialog box, go to the Directory Security

tab

2. In the Secure communications box, click Edit.

3. Check the Require secure channel (SSL) box.

4. Check the Require 128-bit encryption box.

5. Click OK to close Secure communications.

6. Click OK again to close Default Web Sites Properties.

7. Restart IIS by right clicking on the root node and select All tasks -> Restart

IIS.

Once you’ve enabled SSL, your directory server can accept connections from
Directory Sync.

Adjust Server Settings

You’ll need to take a few extra configuration steps to assure that your installation
is smooth and problem-free.

Disable token caching to prevent attacks

WARNING:

Enabling Basic Authentication creates a security flaw. It is important

to disable token caching to avoid a serious vulnerability on your system.

Windows stores user tokens in a token cache. If you log on using Basic
Authentication with an account that has high level of user logon rights, a
successful attacker could use the account to gain access to the resources on your
computer. The following procedure will configure the token cache to flush all
tokens. This procedure involves modifying the Windows Registry using
Regedit.exe. Before you edit the registry, make sure you understand how to
restore it if a problem occurs:

1. From the Start menu, click Run.

2. In the Open box, type

regedit.exe

.

3. Find and double-click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\P
arameters.

4. From the Edit menu, click Add and choose DWORD Value to add a new

registry entry.