Q: Our company has implemented a secure, Web-based extranet to share information with remote employees, contractors, and clients. However, we want to control which PCs are used to access the site. For example, we don’t want the site to be accessible from public PCs such as Internet cafe PCs. We’d like to avoid making significant modifications to the extranet application but are willing to purchase tokens.

A: Tokens might not be the best solution for your company because they’re portable by design and usually intended to be used on multiple PCs. Instead, I suggest using client certificates. You can configure Microsoft IIS to require a client certificate from users in addition to their username and password—without modifying your IIS-based application. You can also restrict users from exporting the certificate’s private key to other computers.

To issue client certificates to users, you must install Certificate Services as an Enterprise Certificate Authority (CA) on Windows Server 2003 Enterprise Edition. You have to use Windows 2003 Enterprise Edition because you must create a custom certificate template and only Enterprise Edition and Windows 2003 Data Center Edition let you issue certificates based on custom templates. Windows 2003 will have to be accessible from the Internet to issue certificates to external users.

After you’ve installed Certificate Services, open the Microsoft Management Console (MMC) Certificate Templates snap-in, duplicate the Users certificate template, and clear the Allow private key to be exported check box on the Request Handling tab of the new template’s properties dialog box. On the Security tab, grant the Request permission to the group that represents the users who will be accessing your extranet. In the MMC Certification Authority snap-in, add the new template to the Certificate Templates folder so that your CA can issue certificates based on the template. Then, remove the old Users certificate template from the Certificate Templates folder to prevent users from requesting certificates that will let their private key be exported. Certificates issued from the new Users template will let users access your extranet but won’t let them move the certificate and private key to other computers.