You are previewing Microsoft® Windows Server™ 2003 PKI and Certificate Security.
O'Reilly logo
Microsoft® Windows Server™ 2003 PKI and Certificate Security

Book Description

Learn how to design and implement certificate-based security solutions for wireless networking, smart card authentication, VPNs, e-mail, Web SSL, EFS, and code-signing applications—straight from PKI expert Brian Komar and the Microsoft PKI team.

Table of Contents

  1. Microsoft® Windows Server™ 2003 PKI and Certificate Security
  2. Dedication
  3. A Note Regarding Supplemental Files
  4. Acknowledgments
  5. Introduction
    1. About This Book
    2. Microsoft Windows Server 2003 PKI and Certificate Security Companion CD
    3. Resource Kit Support Policy
  6. I. Foundations of PKI
    1. 1. Basics of Cryptography
      1. Encryption Types
      2. Algorithms and Keys
      3. Data Encryption
        1. Symmetric Encryption
          1. Symmetric Algorithms
        2. Asymmetric Encryption
          1. Asymmetric Signing Process
          2. Asymmetric Algorithms
        3. Combining Symmetric and Asymmetric Encryption
      4. Digital Signing of Data
        1. The Hash Process
        2. Hash Algorithms
        3. Combining Asymmetric Signing and Hash Algorithms
      5. Case Study: Microsoft Applications and Their Encryption Algorithms
        1. Opening the EFS White Paper
        2. Case Study Questions
      6. Additional Information
    2. 2. Primer to PKI
      1. Certificates
        1. X.509 Version 1
        2. X.509 Version 2
        3. X.509 Version 3
      2. Certification Authorities
        1. Root CA
        2. Intermediate CA
        3. Policy CA
        4. Issuing CA
      3. Certificate Revocation Lists
        1. Types of CRLs
        2. Revocation Reasons
      4. Case Study: Inspecting an X.509 Certificate
        1. Opening the Certificate File
        2. Case Study Questions
      5. Additional Information
    3. 3. Policies and PKI
      1. Security Policy
        1. Defining Effective Security Policies
        2. Resources for Developing Security Policies
        3. Defining PKI-Related Security Policies
      2. Certificate Policy
        1. Contents of a Certificate Policy
        2. Certificate Policy Example
      3. Certificate Practice Statement (CPS)
        1. CPS: Introduction
        2. CPS: General Provisions
        3. CPS: Identification and Authentication
        4. CPS: Operational Requirements
        5. CPS: Physical, Procedural, and Personnel Security Controls
        6. CPS: Technical Security Controls
        7. CPS: Certificate and Certificate Revocation List (CRL) Profiles
        8. CPS: Specification Administration
      4. Case Study: Planning Policy Documents
        1. Design Requirements
        2. Case Study Questions
      5. Additional Information
  7. II. Establishing a PKI
    1. 4. Preparing an Active Directory Environment
      1. Preparing a Windows 2000 Active Directory Environment
        1. Microsoft Exchange Modifications
          1. Incorrect Modification of the LDAP Display Names Does Not Occur When…
          2. Incorrect Modification of the LDAP Display Names Occurs When…
          3. Preventing Incorrect Modification of the LDAP Display Names
          4. Fixing Incorrect Modification of the LDAP Display Names
        2. Extending the Schema
        3. Modifying Membership in Cert Publishers
      2. Preparing a Windows Server 2003 Active Directory Environment
      3. Preparing Non-Active Directory Environments
      4. Case Study: Preparing Active Directory
        1. Network Details
        2. Case Study Questions
      5. Additional Information
    2. 5. Designing a Certification Authority Hierarchy
      1. Determining the Number of Tiers in a CA Hierarchy
        1. A Single-Tier CA Hierarchy
        2. A Two-Tier CA Hierarchy
        3. A Three-Tier CA Hierarchy
        4. A Four-Tier CA Hierarchy
      2. Organizing Issuing CAs
      3. Choosing an Architecture
      4. Gathering Required Information
        1. Identifying PKI-Enabled Applications
          1. PKI-Enabled Applications
          2. Identifying Certificate Recipients
        2. Determining Security Requirements
        3. Determining Technical Requirements
          1. Defining PKI Management Staff
          2. Minimizing Risk of CA Failure
          3. Determining Certificate Validity Periods
          4. Determining Publication Points
        4. Determining Business Requirements
        5. Determining External Requirements
      5. Case Study: Identifying Requirements
        1. Case Study Questions
      6. Additional Information
    3. 6. Implementing a CA Hierarchy
      1. Preparing Configuration Scripts for Installation
        1. CAPolicy.inf File
          1. Creating the CAPolicy.inf File
          2. Sample CAPolicy.inf Contents
          3. CAPolicy.inf File Sections
            1. [Version]
            2. [PolicyStatementExtension]
            3. [AuthorityInformationAccess] and [CRLDistributionPoint]
            4. [EnhancedKeyUsageExtension]
            5. [BasicConstraintsExtension]
            6. [certsrv_server]
        2. Pre-Installation Scripts
          1. Publishing Certificates and CRLs to the Local Computer Store
          2. Publishing Certificates and CRLs to Active Directory
        3. Post-Installation Scripts
          1. Declaring the Configuration Naming Context
          2. Defining CRL Publication Intervals
          3. Defining Publication Points
            1. Defining CRL Distribution Points
            2. Defining CA Certificate Distribution Points
          4. Defining Validity Periods for Issued Certificates
          5. Enabling Auditing at the CA
            1. PKI Auditing Categories
            2. PKI Auditing Details
          6. Publishing an Updated CRL
      2. Implementing an Enterprise Root CA
        1. Creating a CAPolicy.inf File
        2. Installing Internet Information Services
        3. Installing Certificate Services
        4. Post-Installation Configuration
        5. Enabling Auditing
      3. Implementing a Standalone Root CA
        1. Creating a CAPolicy.inf File
        2. Installing Certificate Services
        3. Post-Installation Configuration
        4. Object Access Auditing
      4. Implementing an Offline Policy CA
        1. Pre-Installation Configuration
        2. Creating a CAPolicy.inf File
        3. Installing Certificate Services
        4. Post-Installation Configuration
        5. Object Access Auditing
      5. Implementing an Online Issuing CA
        1. Pre-Installation Configuration
          1. Publishing Certificates at the Issuing CA
          2. Publishing Certificates into Active Directory
          3. Publishing Certificates to HTTP Locations
        2. Creating a CAPolicy.inf File
        3. Installing IIS
        4. Installing Certificate Services
        5. Post-Installation Configuration
        6. Object Access Auditing
      6. Verifying Installation
      7. Case Study: Deploying a PKI
        1. Case Study Questions
          1. Fabrikam Corporate Root CA
          2. Fabrikam Corporate Policy CA
          3. Fabrikam Corporate Issuing CA
      8. Additional Information
    4. 7. Securing a CA Hierarchy
      1. Designing CA Configuration Security Measures
      2. Designing Physical Security Measures
      3. Securing the CA's Private Key
        1. Private Key Stored in the Local Machine Store
        2. Private Keys Stored on Smart Cards
        3. Private Keys Stored on Hardware Security Modules
      4. Hardware Security Modules
        1. Categories of HSMs
          1. Dedicated HSMs
          2. Network-attached HSMs
        2. HSM Vendors
          1. nCipher
          2. Rainbow Chrysalis-ITS
        3. HSM Deployment Methods
          1. Dedicated HSMs on Each CA
          2. Network-Attached HSMs on Each CA
          3. Dedicated HSMs on Offline CAs and Network-Attached on Online CAs
      5. Case Study: Planning HSM Deployment
        1. Scenario
        2. Case Study Questions
      6. Additional Information
    5. 8. Designing Certificate Templates
      1. Certificate Template Versions
        1. Version 1 Certificate Templates
        2. Version 2 Certificate Templates
        3. Enrolling Certificates Based on Certificate Templates
      2. Modifying Certificate Templates
        1. Modifying Version 1 Certificate Template Permissions
        2. Modifying Version 2 Certificate Templates
          1. The Security Tab
          2. The General Tab
          3. The Request Handling Tab
          4. The Subject Name Tab
          5. The Issuance Requirement Tab
          6. The Superseded Templates Tab
          7. The Extensions Tab
        3. Best Practices for Certificate Template Design
      3. Case Study: Certificate Template Design
        1. Requirements
        2. Case Study Questions
      4. Additional Information
    6. 9. Certificate Validation
      1. Certificate Validation Process
      2. Certificate Validity Checks
      3. Certificate Revocation
        1. Types of CRLs
        2. CRL Retrieval Process
        3. Revocation Reasons
        4. Revoking a Certificate
      4. Building Certificate Chains
        1. Exact Match
        2. Key Match
        3. Name Match
      5. Designing PKI Object Publication
        1. Choosing Publication Protocols
        2. Choosing Publication Points
        3. Choosing Publication Intervals
      6. Troubleshooting Publication Points
        1. Certutil
        2. PKI Health Tool
      7. Case Study: Choosing Publication Points
        1. Design Requirements
        2. Case Study Questions
      8. Additional Information
    7. 10. Role Separation
      1. Common Criteria Roles
        1. Common Criteria Levels
          1. Security Level 1
          2. Security Level 2
          3. Security Level 3
          4. Security Level 4
        2. The Windows Server 2003 Implementation of Common Criteria
          1. CA Administrator
          2. Certificate Manager
          3. Auditor
          4. Backup Operator
        3. Assigning Common Criteria Roles
          1. CA Administrator
          2. Certificate Manager
          3. Auditor
          4. Backup Operator
        4. Implementing Certificate Manager Restrictions
        5. Enforcing Common Criteria Role Separation
      2. Other PKI Management Roles
        1. Local Administrator
          1. Local Administrator Tasks
          2. Assigning the Local Administrator Role
        2. Enterprise Admins
          1. Enterprise Admins Tasks
          2. Assigning the Enterprise Admins Role
        3. Certificate Template Manager
          1. Certificate Template Manager Tasks
          2. Assigning the Certificate Template Manager Role
            1. Delegate Permissions for Creation of New Templates
            2. Delegate Permissions for Creation of New OIDs
            3. Delegate Permissions to Every Existing Certificate Template in the Certificate
        4. Enrollment Agent
          1. Enrollment Agent Tasks
          2. Assigning the Enrollment Agent Role
        5. Key Recovery Agent
          1. Key Recovery Agent Tasks
          2. Assigning the Key Recovery Agent Role
      3. Case Study: Planning PKI Management Roles
        1. Scenario
        2. Case Study Questions
      4. Additional Information
    8. 11. Planning and Implementing Disaster Recovery
      1. Developing Required Documentation
      2. Choosing a Backup Method
        1. System State Backups
        2. Manual Backups
      3. Performing System State Backups
      4. Performing Manual Backups
        1. Using the Certification Authority Console
        2. Using Certutil
        3. Other Backup Methods
          1. Binary Backups
          2. HSM Backups
      5. Restoration Procedures
        1. Reinstalling Certificate Services
        2. Restoring System State Backups
        3. Restoring Manual Backups
      6. Evaluating Backup Methods
        1. Hardware Failure
        2. Certificate Services Failure
        3. Server Replacement
      7. Case Study: Replacing Server Hardware
        1. Scenario
        2. Case Study Questions
      8. Additional Information
    9. 12. Deploying Certificates
      1. Certificate Enrollment Methods
      2. Choosing an Enrollment Method
        1. Choosing Among Manual Enrollment Methods
        2. Choosing Among Automatic Enrollment Methods
      3. Publishing Certificate Templates for Enrollment
      4. Performing Manual Enrollment
        1. Requesting a Certificate
          1. Requesting a Certificate
          2. Retrieving a Pending Certificate Request
          3. Submitting a Certificate Request from Network Devices
        2. Using the Certificate Request Wizard
          1. Loading the Certificates MMC Console
          2. Requesting a Certificate
      5. Performing Automatic Enrollment
        1. Automatic Certificate Request Settings
        2. Autoenrollment Settings
          1. Configuring Certificate Templates
          2. Configuring Group Policy
      6. Performing Scripted Enrollment
        1. Certreq.exe
        2. Custom Scripting
      7. Case Study: Selecting a Deployment Method
        1. Scenario
        2. Case Study Questions
      8. Additional Information
    10. 13. Creating Trust Between Organizations
      1. Methods of Creating Trust
        1. Certificate Trust Lists
        2. Common Root CAs
          1. Commercial CAs
          2. Umbrella Groups
        3. Cross-Certification
        4. Bridge CAs
      2. Qualified Subordination Conditions
        1. Name Constraints
          1. Processing Name Constraints
          2. Name Formats
          3. Defining Name Constraints
        2. Basic Constraints
        3. Application Policies
          1. Determining Application Policy OIDs
          2. Defining Application Policies
        4. Certificate Policies
          1. Default Certificate Policies
          2. Custom Certificate Policies
          3. Implementing Certificate Policies
        5. Guidelines for Qualified Subordination Conditions
      3. Implementing Qualified Subordination
        1. Creating the Qualified Subordination Signing Certificate Template
          1. Creating the Qualified Subordination Signing Certificate Template
          2. Publishing the Qualified Subordination Signing Certificate Template
        2. Implementing the Policy.inf File
        3. Acquiring a Partner's CA Certificate
        4. Generating the Cross Certification Authority Certificate
          1. Creating the Cross Certification Authority Request File
          2. Submitting the Cross Certification Authority Request
        5. Publishing to Active Directory
      4. Verifying Qualified Subordination
      5. Case Study: Trusting Certificates from Another Forest
        1. Case Study Questions
      6. Additional Information
  8. III. Deploying Application-Specific Solutions
    1. 14. Archiving Encryption Keys
      1. Roles in Key Archival
      2. The Key Archival Process
      3. The Key Recovery Process
      4. Requirements for Key Archival
        1. Defining Key Recovery Agents
          1. Requesting the Key Recovery Agent Certificate
          2. Issuing the Key Recovery Agent Certificate
          3. Installing and Exporting the Key Recovery Agent Certificates
          4. Exporting the Certificate and Private Key
        2. Enabling a CA for Key Archival
        3. Enabling Key Archival in a Certificate Template
      5. Performing Key Recovery
        1. Certutil
        2. Key Recovery Tool
        3. Importing the Recovered Private Key
      6. Best Practices
      7. Case Study: Lucerne Publishing
        1. Scenario
        2. Case Study Questions
      8. Additional Information
    2. 15. Smart Card Deployment
      1. Using Smart Cards in an Active Directory Environment
        1. Smart Cards and Kerberos
        2. Requirements for Smart Card Certificates
      2. Planning Smart Card Deployment
        1. Increasing the Assurance of Smart Card Certificates
        2. Identifying the Required Certificate Templates
          1. Enrollment Agent Certificate
          2. Smart Card Certificate
        3. Determining Certificate Distribution Methods
          1. Enrollment Agent
          2. Initial Smart Card
          3. Renewing the Smart Card
        4. Designing Certificate Templates for Smart Cards
          1. Enrollment Agent
          2. Initial Smart Card
          3. Renewing a Smart Card
        5. Deploying a Smart Card Management System
      3. Procedures
        1. Enabling ActiveX Controls
        2. Requesting Smart Card Certificates on Behalf of Other Users
        3. Enabling Autoenrollment
      4. Implementing Additional Security for Smart Cards
        1. Requiring Smart Cards for Interactive Logon
        2. Requiring Smart Cards for Remote Access
        3. Defining Smart Card Removal Behavior
        4. Using Smart Cards for Administrative Tasks
      5. Best Practices
      6. Case Study: City Power and Light
        1. Case Study Questions
      7. Additional Information
    3. 16. Encrypting File System
      1. EFS Processes
        1. How Windows Chooses an EFS Encryption Certificate
        2. Local EFS Encryption
        3. Remote EFS Encryption Using SMB
        4. Remote EFS Encryption Using WebDAV
        5. EFS Decryption
        6. EFS Data Recovery
      2. One Application, Two Recovery Methods
        1. Data Recovery
          1. Defining EFS Recovery Agents
            1. Obtain an EFS Recovery Agent Certificate
            2. Designate the EFS Recovery Agent.
          2. Securing the Private Keys
        2. Key Recovery
      3. Deploying EFS
        1. Enabling and Disabling EFS
          1. Enabling EFS
          2. Disabling EFS
        2. Certificate Templates for EFS Encryption
          1. EFS Recovery Agent Certificate Template
          2. Key Recovery Agent Certificate Template
          3. EFS User Certificate Template
        3. Certificate Enrollment
          1. EFS Recovery Agent and Key Recovery Agent Certificates
          2. EFS User Certificates
      4. Best Practices
      5. Case Study: Lucerne Publishing
        1. Scenario
        2. Design Requirements
        3. Proposed Solution
        4. Case Study Questions
      6. Additional Information
    4. 17. Implementing SSL Encryption for Web Servers
      1. How SSL Works
      2. Certificate Requirements for SSL
      3. Choosing a Web Server Certificate Provider
      4. Placement of Web Server Certificates
        1. Single Web Server
        2. Clustered Web Servers
        3. Web Server Protected by ISA with Server Publishing
        4. Web Server Protected by ISA with Web Publishing
          1. Implementing End-to-End SSL
          2. Implementing SSL Between the Web Client and the ISA Server
      5. Choosing a Certificate Template
      6. Issuing Web Server Certificates
        1. Issuing Web Server Certificates to Forest Members
          1. Requesting and Installing the Web Server Certificate
          2. Enabling SSL at the IIS Web Server
        2. Issuing Web Server Certificates to Non-Forest Members
          1. Generating the Web Server Certificate Request
          2. Submitting the Request File at the Windows Server 2003 CA
          3. Installing the Web Server Certificate at the Web Server
        3. Issuing Web Server Certificates to Third-Party Web Servers and Web Acceleration Devices
      7. Certificate-Based Authentication
        1. Defining Certificate Mappings
          1. one-to-One Mappings
          2. Many-to-One Mappings
          3. Combining One-to-One and Many-to-One Mappings
        2. Choosing Where to Perform Certificate Mappings
      8. Performing Certificate-Based Authentication
        1. Configure IIS to Use Active Directory Mappings
          1. Creating a Certificate Template
          2. Defining the Mapping in Active Directory
            1. Enabling Implicit Certificate Mappings
            2. Enabling Explicit Mappings
          3. Enabling IIS to Use Certificate Mappings
          4. Enabling the Directory Service Mapper
        2. Configure IIS to Use IIS Certificate Mappings
          1. Creating a Certificate Template for User Authentication
          2. Enabling IIS to Use Certificate Based Authentication
          3. Defining the Mappings in IIS
      9. Best Practices
      10. Case Study: The Phone Company
        1. Scenario
          1. The Customer Billing System
          2. The Benefits Web Application
        2. Case Study Questions
      11. Additional Information
    5. 18. Secure E-Mail
      1. Securing E-Mail
        1. Secure/Multipurpose Internet Mail Extensions (S/MIME)
          1. E-Mail Digital Signing Process
          2. E-Mail Encryption Process
        2. SSL for Internet Protocols
          1. Installing the Web Server Certificate
          2. Enabling SSL for an RFC-Based Protocol
          3. Enabling SSL in the E-mail Applications
      2. Choosing Certification Authorities
        1. Choosing Commercial CAs
        2. Choosing Private CAs
      3. Choosing Certificate Templates
        1. A Combined Signing and Encryption Template
        2. Dual Certificates for E-Mail
          1. E-Mail Signing Certificate Template
            1. General Tab
            2. Request Handling Tab
          2. E-Mail Encryption Certificate Template
      4. Choosing Deployment Methods
      5. Enabling Secure E-Mail
        1. Enabling Outlook
        2. Enabling OWA
        3. Enabling Outlook Express
        4. Sending Secure E-Mail
      6. Migrating from Previous Exchange Server Versions
        1. Upgrade to Exchange 2000
        2. Enable Key Archival at the Windows Server 2003 Enterprise CA
        3. Install an Encryption Certificate at the Enterprise CA
        4. Enable Foreign Certificate Import at the Enterprise CA
        5. Export the Exchange KMS Database
        6. Import the Exchange KMS Database into Enterprise CA Database
      7. Best Practices
      8. Case Study: Adventure Works
        1. Scenario
        2. Case Study Questions
      9. Additional Information
    6. 19. Virtual Private Networking
      1. Certificate Deployment for VPN
        1. Point-to-Point Tunneling Protocol (PPTP)
        2. Layer Two Tunneling Protocol (L2TP) with IP Security
      2. Certificate Template Design
        1. User Authentication
        2. Server Authentication
        3. IPSec Endpoint Authentication
      3. Deploying a VPN Solution
        1. IAS Server Configuration
          1. Install Internet Authentication Service (IAS)
          2. Define RADIUS clients
          3. Define the VPN Access Policy
          4. Enable Logging at the IAS Server
        2. VPN Server Configuration
        3. Create a VPN Connection Object
          1. Creating a Connection Object in Windows 2000
          2. Creating a Connection Object in Windows XP
          3. Connecting to the VPN
      4. Best Practices
      5. Case Study: Lucerne Publishing
        1. Scenario
      6. Additional Information
    7. 20. Wireless Networking
      1. Threats Introduced by Wireless Networking
      2. Protecting for Wireless Communications
        1. Mac Filtering
        2. Wired Equivalent Privacy
        3. Wi-Fi Protected Access
      3. 802.1x Authentication Types
        1. EAP/TLS Authentication
        2. PEAP Authentication
        3. How 802.1x Authentication Works
      4. Planning Certificates for 802.1x Authentication
        1. Computer Certificates for RADIUS Servers
        2. User Certificates for Clients
        3. Computer Certificates for Clients
      5. Deploying Certificates to Users and Computers
        1. RADIUS Server
        2. Client Computers
        3. Users
      6. Implementing 802.1x Authentication
        1. Configuring the RADIUS Server
          1. Install IAS
          2. Add the IAS Server to the RAS and IAS Servers Group
          3. Define RADIUS Clients
          4. Define a Wireless Computer Remote Access Policy
          5. Define the Wireless User Remote Access Policy
        2. Configuring the Wireless Access Point
        3. Connecting to the Wireless Network
      7. Best Practices
      8. Case Study: Margie's Travel
        1. Scenario
        2. Case Study Questions
      9. Additional Information
    8. 21. Code Signing
      1. How Code Signing Works
      2. Certification of Code Signing Certificates
        1. Commercial Certification
        2. Corporate Certification
      3. Planning Deployment of Code Signing Certificates
        1. Certificate Template Design
        2. Planning Enrollment Methods
      4. Performing Code Signing
        1. Gathering the Required Tools
        2. Using Signcode.exe
        3. Visual Basic for Applications Projects
      5. Verifying the Signature
        1. Internet Explorer
        2. The Check Trust Program (Chktrust.exe)
      6. Best Practices
      7. Case Study: Lucerne Publishing
        1. Scenario
        2. Case Study Questions
      8. Additional Information
    9. A. Case Study Answers
      1. Chapter 1: Basics of Cryptography
      2. Chapter 2: Primer to Pki
      3. Chapter 3: Policies and Pki
      4. Chapter 4: Preparing an Active Directory Environment
      5. Chapter 5: Designing a Certification Authority Hierarchy
      6. Chapter 6: Implementing a CA Heirarchy
        1. Fabrikam Corporate Root CA
        2. Fabrikam Corporate Policy Ca
        3. Fabrikam Corporate Issuing Ca
      7. Chapter 7: Securing a Ca Heirarchy
      8. Chapter 8: Designing Certificate Templates
      9. Chapter 9: Certificate Validation
      10. Chapter 10: Role Separation
      11. Chapter 11: Planning and Implementing Disaster Recovery
      12. Chapter 12: Deploying Certificates
      13. Chapter 13: Creating Trust Between Organizations
      14. Chapter 14: Archiving Encryption Keys
      15. Chapter 15: Smart Card Deployment
      16. Chapter 16: Encrypting File System
      17. Chapter 17: Implementing SSL Encryption for Web Servers
      18. Chapter 18: Secure E-Mail
      19. Chapter 19: Virtual Private Networking
      20. Chapter 20: Wireless Networking
      21. Chapter 21: Code Signing
  9. Index
  10. About the Authors
  11. Copyright