IIS and Secret Server

This topic only applies to Secret Server On-Premises.

Secret Server uses Internet Information Services (IIS) to run its web application, providing a secure and scalable platform for managing privileged credentials. Here are some key ways in which Secret Server uses IIS:

  • Web Hosting: Secret Server is hosted on IIS, which serves as the web server to deliver the application to users. IIS handles HTTP/HTTPS requests, ensuring that the web application is accessible over the network.

  • Authentication: Secret Server uses IIS to manage various authentication methods, including Integrated Windows Authentication (IWA). This allows users to authenticate using their Active Directory credentials without needing to re-enter them, enhancing security and user convenience.

  • SSL/TLS Encryption: IIS is configured to use SSL/TLS to encrypt data transmitted between the client and the server. This ensures that sensitive information, such as passwords and secrets, is protected from eavesdropping and man-in-the-middle attacks.

  • Application Pool Management: Secret Server runs in its own application pool within IIS. This isolates the application, ensuring that it has dedicated resources and can be managed independently of other applications on the server. The application pool can be configured to always run, preventing it from stopping due to inactivity.

  • Logging and Monitoring: IIS provides logging capabilities that Secret Server utilizes to track access and activity. This includes logging user actions, system events, and errors, which are crucial for auditing and troubleshooting.

  • Security Hardening: Secret Server employs various IIS security features to harden the application against attacks. This includes disabling unnecessary HTTP headers, configuring secure cipher suites, and ensuring that the application pool runs with the least privilege necessary.

  • Session Management: IIS manages user sessions, ensuring that authenticated sessions are maintained securely. This includes handling session timeouts and ensuring that sessions are properly terminated when users log out.

  • Load Balancing and Clustering: For high availability and scalability, Secret Server can be deployed in a clustered environment using IIS. This allows multiple instances of Secret Server to run simultaneously, distributing the load and providing redundancy in case of server failure.