Windows Server® 2008 PKI and Certificate Security

Book description

Get in-depth guidance for designing and implementing certificate-based security solutions—straight from PKI expert Brian Komar. No need to buy or outsource costly PKI services when you can use the robust PKI and certificate-based security services already built into Windows Server 2008! This in-depth reference teaches you how to design and implement even the most demanding certificate-based security solutions for wireless networking, smart card authentication, VPNs, secure email, Web SSL, EFS, and code-signing applications using Windows Server PKI and certificate services. A principal PKI consultant to Microsoft, Brian shows you how to incorporate best practices, avoid common design and implementation mistakes, help minimize risk, and optimize security administration.

Table of contents

  1. Windows Server® 2008 PKI and Certificate Security
  2. Acknowledgments
  3. Foreword
  4. Introduction
    1. About This Book
    2. Windows Server 2008 PKI and Certificate Security Companion CD
    3. System Requirements
  5. I. Foundations of PKI
    1. 1. Cryptography Basics
      1. Encryption Types
      2. Algorithms and Keys
      3. Data Encryption
        1. Symmetric Encryption
          1. Symmetric Algorithms
        2. Asymmetric Encryption
        3. Asymmetric Signing Process
          1. Asymmetric Algorithms
        4. Combining Symmetric and Asymmetric Encryption
      4. Digital Signing of Data
        1. The Hash Process
        2. Hash Algorithms
        3. Combining Asymmetric Signing and Hash Algorithms
      5. Cryptography Next Generation (CNG)
        1. Features of CNG
        2. Algorithms Supported
        3. Supported Clients and Applications
      6. Case Study: Microsoft Applications and Their Encryption Algorithms
        1. Opening the EFS White Paper
        2. Case Study Questions
      7. Additional Information
    2. 2. Primer to PKI
      1. Certificates
        1. X.509 Version 1
        2. X.509 Version 2
        3. X.509 Version 3
      2. Certification Authorities
        1. Root CA
        2. Intermediate CA
        3. Policy CA
        4. Issuing CA
      3. Certificate Revocation Lists
        1. Types of CRLs
        2. Revocation Reasons
        3. Online Certificate Status Protocol (OCSP)
        4. OCSP Client
        5. Online Responder Service
      4. Case Study: Inspecting an X.509 Certificate
        1. Opening the Certificate File
        2. Case Study Questions
      5. Additional Information
    3. 3. Policies and PKI
      1. Security Policy
        1. Defining Effective Security Policies
        2. Resources for Developing Security Policies
        3. Effects of External Policies on Your PKI
        4. Defining PKI-Related Security Policies
      2. Certificate Policy
        1. Contents of a Certificate Policy
        2. Certificate Policy Example
      3. Certification Practice Statement (CPS)
        1. CPS Section: Introduction
        2. CPS Section: Publication and Repository Responsibilities
        3. CPS Section: Identification and Authentication
        4. CPS Section: Certificate Life-Cycle Operational Requirements
        5. CPS Section: Facility, Management, and Operational Controls
        6. CPS Section: Technical Security Controls
        7. CPS Section: Certificate, CRL, and OCSP Profiles
        8. CPS Section: Compliance Audit and Other Assessment
        9. CPS Section: Other Business and Legal Matters
      4. Case Study: Planning Policy Documents
        1. Design Requirements
        2. Case Study Questions
      5. Additional Information
  6. II. Establishing a PKI
    1. 4. Preparing an Active Directory Environment
      1. Analyzing the Active Directory Environment
      2. Upgrading the Schema
        1. Identifying the Schema Operations Master
        2. Performing the Schema Update
        3. Modifying the Scope of the Cert Publishers Groups
          1. Cert Publishers Population When the Group Is a Domain Local Group
          2. Cert Publishers Strategies If the Group Is a Global Group
            1. Modifying Permissions in Active Directory
            2. Changing the Scope of the Cert Publishers group
      3. Deploying Windows Server 2008 Enterprise CAs in Non–AD DS Environments
      4. Case Study: Preparing Active Directory Domain Services
        1. Network Details
        2. Case Study Questions
      5. Additional Information
    2. 5. Designing a Certification Authority Hierarchy
      1. Determining the Number of Tiers in a CA Hierarchy
        1. Single-Tier CA Hierarchy
        2. Two-Tier CA Hierarchy
        3. Three-Tier CA Hierarchy
        4. Four-Tier CA Hierarchy
      2. Organizing Issuing CAs
      3. Choosing an Architecture
      4. Gathering Required Information
        1. Identifying PKI-Enabled Applications
          1. PKI-Enabled Applications
          2. Identifying Certificate Recipients
        2. Determining Security Requirements
        3. Determining Technical Requirements
          1. Specifying PKI Management Roles
          2. Minimizing Risk of CA Failure
          3. Determining Certificate Validity Periods
          4. Choosing Key Length
          5. Determining Publication Points
        4. Determining Business Requirements
        5. Determining External Requirements
      5. Collecting AD DS Requirements
        1. Naming Conventions
        2. Choosing Domains for CA Computer Accounts
        3. Choosing an Organizational Unit Structure
      6. Case Study: Identifying Requirements
        1. Case Study Questions
      7. Additional Information
    3. 6. Implementing a CA Hierarchy
      1. CA Configuration Files
        1. CAPolicy.inf File
          1. Creating the CAPolicy.inf File
          2. Sample CAPolicy.inf Contents
          3. CAPolicy.inf File Sections
            1. [Version]
            2. [PolicyStatementExtension]
            3. [AuthorityInformationAccess] and [CRLDistributionPoint]
            4. [EnhancedKeyUsageExtension]
            5. [BasicConstraintsExtension]
            6. [certsrv_server]
        2. Pre-Installation Scripts
          1. Publishing Certificates and CRLs to the Local Computer Store
          2. Publishing Certificates and CRLs to AD DS
        3. Post-Installation Scripts
          1. Declaring the Configuration Naming Context
          2. Defining CRL Publication Intervals
          3. Defining Publication Points
            1. Defining CRL Distribution Points
            2. Defining CA Certificate Distribution Points
          4. Defining Validity Periods for Issued Certificates
          5. Enabling Auditing at the CA
            1. PKI Auditing Categories
            2. PKI Auditing Details
            3. CNG Auditing
          6. Publishing an Updated CRL
      2. Implementing a Three-Tier CA Hierarchy
        1. Implementing an Offline Root CA
          1. Creating a CAPolicy.inf File
          2. Installing Certificate Services
          3. Post-Installation Configuration
        2. Implementing an Offline Policy CA
          1. Pre-Installation Configuration
          2. Creating a CAPolicy.inf File
          3. Installing Certificate Services
          4. Post-Installation Configuration
        3. Implementing an Online Issuing CA
          1. Pre-Installation Configuration
            1. Installing Certificates Locally at the Issuing CA
            2. Publishing Certificates and CRLs into AD DS
            3. Copying Certificates and CRLs to HTTP Publication Points
          2. Creating a CAPolicy.inf File
          3. Installing Certificate Services
          4. Post-Installation Configuration
      3. Implementing an Enterprise Root CA
        1. Creating a CAPolicy.inf File
        2. Installing Active Directory Certificate Services
        3. Post-Installation Configuration
      4. Enabling Auditing
      5. Verifying Installation
      6. Case Study: Deploying a PKI
        1. Case Study Questions
          1. Fabrikam Corporate Root CA
          2. Fabrikam Corporate Policy CA
          3. Fabrikam Corporate Issuing CA
      7. Additional Information
    4. 7. Upgrading Your Existing Microsoft PKI
      1. Supported Scenarios
        1. What Versions Can You Upgrade to Windows Server 2008?
        2. 32-Bit to 64-Bit Considerations
          1. Deploying New CAs to Replace the Existing CAs
          2. Upgrading and Then Migrating
          3. Migrating and Then Upgrading
      2. Performing the Upgrade
        1. Upgrading the Schema
        2. Upgrading Certificate Templates
        3. Performing the Upgrade
        4. Post-Upgrade Operations
          1. Changing the Hash Algorithm for a CryptoAPI Version 1 CSP
          2. Changing the Hash Algorithm for a CNG CSP
          3. Implement Discrete Signatures
      3. Case Study: Upgrading an Existing PKI
        1. Case Study Questions
          1. Humongous Insurance Internal Root CA
          2. Humongous Insurance Internal Policy CA
          3. Humongous Insurance Internal Issuing CAs
      4. Additional Information
    5. 8. Verifying and Monitoring Your Microsoft PKI
      1. Verifying the Installation
        1. PKI Health Tool
          1. Installing the PKI Health Tool
          2. Setting Global Options
          3. Determining CA Certificate and CRL Access
          4. Examining Active Directory Certificate Stores
        2. Certutil
          1. Checking the Validity of a Specific Certificate
            1. Certutil Success Examples
            2. Certutil Failure Examples
          2. Viewing a Certificate Store
      2. Ongoing Monitoring
        1. CAMonitor.vbs Script
          1. CA Monitoring Options
          2. CA Monitor Notification Options
          3. CA Monitoring Events to Include in an Event Monitoring Package
          4. Implementing the CA Monitoring Script
        2. Microsoft Operations Manager Certificate Services Management Pack
          1. What’s Included in the Certificate Services Management Pack
          2. Operations Manager 2007 Computer Groups
          3. Certificate Services Management Pack Rule Groups and Rules
          4. Using Views in Systems Center Operations Manager 2007
          5. Deploying the Management Pack
            1. Configuring Firewall Rules
            2. Installing the Operations Manager Agent
            3. Importing the Management Pack
            4. Verifying Communications
          6. Operations
          7. Other Events to Monitor
      3. Case Study: Verifying a PKI Deployment
        1. CA Hierarchy Details
        2. CA Hierarchy Verification Questions
        3. Monitoring Requirements
        4. Monitoring Questions
      4. Additional Information
    6. 9. Securing a CA Hierarchy
      1. CA Configuration Measures
      2. Designing Physical Security Measures
      3. Securing the CA’s Private Key
        1. Private Key Stored in the Local Machine Store
        2. Private Keys Stored on Smart Cards
        3. Private Keys Stored on Hardware Security Modules
      4. Hardware Security Modules
        1. Categories of HSMs
          1. Dedicated HSMs
          2. Network-Attached HSMs
        2. HSM Deployment Methods
          1. Dedicated HSMs on Each CA
          2. Network-Attached HSMs Shared by All CAs
          3. Dedicated HSMs on Offline CAs, Network-Attached HSMs on Online CAs
          4. Preventing the HSM from Being a Single Point of Failure
      5. Case Study: Planning HSM Deployment
        1. Scenario
        2. Case Study Questions
      6. Additional Information
    7. 10. Certificate Revocation
      1. When Do You Revoke Certificates?
        1. Revocation Reasons
        2. Revocation Policy
        3. Performing Revocation
      2. Methods of Identifying Revoked Certificates
      3. Problems with CRLs
        1. Latency
        2. Caching of CRLs
        3. Support for Delta CRLs
      4. Online Certificate Status Protocol (OCSP)
        1. Microsoft’s Implementation of OCSP
          1. OCSP Components
          2. The OCSP Process
        2. Implementing the Microsoft Online Responder
          1. Installing the Online Responder Service
          2. Configuring the CAs
          3. Configuring the OCSP Response Signing Certificate Template
            1. Designing the Template
            2. Enrollment
            3. Renewal
          4. Configuring the Online Responder
            1. Web Proxy Settings
            2. Audit Settings
            3. Security Settings
          5. Managing Revocation Configurations
            1. Creating a Revocation Configuration
            2. Modifying a Revocation Configuration
            3. Deleting A Revocation Configuration
        3. Providing High Availability for the Online Responder
          1. Adding Members
          2. Designating an Array Controller
          3. Backup and Restoration
      5. Case Study: Planning Revocation
        1. Design Requirements
        2. Case Study Questions
      6. Additional Information
    8. 11. Certificate Validation
      1. Certificate Validation Process
        1. Certificate Validity Checks
        2. Revocation Checking Methods
        3. Changing the Default Validation Behavior
          1. Changing Revocation Checking Behavior
          2. Changing CRL Caching Behavior
      2. Building Certificate Chains
        1. Exact Match
        2. Key Match
        3. Name Match
      3. Designing PKI Object Publication
        1. Choosing Publication Protocols
        2. Choosing Publication Points
          1. CDP URL Ordering Issues
        3. Choosing Publication Intervals
      4. Troubleshooting Certificate Validation
        1. CAPI Diagnostics
          1. Enabling CAPI2 Diagnostics
          2. CAPI Monitoring Overview
            1. CAPI2 Events
            2. CAPI2 Event Correlation
          3. Common Errors
            1. Path Validation Errors
            2. Network Retrieval Errors
            3. Revocation Check Failures
            4. Certificate Path Discovery Errors
            5. Chain Policy Errors
      5. Case Study: Choosing Publication Points
        1. Design Requirements
        2. Case Study Questions
        3. Troubleshooting Exercise
      6. Additional Information
    9. 12. Designing Certificate Templates
      1. Certificate Template Versions
        1. Version 1 Certificate Templates
        2. Version 2 Certificate Templates
        3. Version 3 Certificate Templates
        4. Enrolling Certificates Based on Certificate Templates
      2. Default Certificate Templates
      3. Modifying Certificate Templates
        1. Modifying Version 1 Certificate Template Permissions
        2. Modifying Version 2 and Version 3 Certificate Templates
          1. Security Tab
          2. General Tab
          3. Request Handling Tab
            1. Version 2 Certificate Templates
            2. Version 3 Certificate Templates
          4. Cryptography Tab
          5. Subject Name Tab
          6. Issuance Requirements Tab
          7. Superseded Templates Tab
          8. Extensions Tab
      4. Case Study: Certificate Template Design
        1. Requirements
        2. Case Study Questions
        3. Best Practices for Certificate Template Design
      5. Additional Information
    10. 13. Role Separation
      1. Common Criteria Roles
        1. Common Criteria Levels
          1. Security Level 1
          2. Security Level 2
          3. Security Level 3
          4. Security Level 4
        2. Windows Implementation of Common Criteria
          1. CA Administrator
          2. Certificate Manager
          3. Auditor
          4. Backup Operator
        3. Assigning Common Criteria Roles
          1. CA Manager
          2. Certificate Manager
          3. Auditor
          4. Backup Operator
        4. Implementing Certificate Manager Restrictions
        5. Enforcing Common Criteria Role Separation
      2. Other PKI Management Roles
        1. Local Administrator
        2. Enterprise Admins
          1. Enterprise Admins Tasks
        3. Certificate Template Manager
          1. Certificate Template Manager Tasks
          2. Assigning the Certificate Template Manager Role
            1. Delegate Permissions for Creation of New Templates
            2. Delegate Permissions for Creation of New OIDs
            3. Delegate Permissions to Every Existing Certificate Template in the Certificate
          3. Editing Existing Certificate Templates
        4. Enrollment Agent
          1. Enrollment Agent Tasks
          2. Assigning the Enrollment Agent Role
        5. Key Recovery Agent
          1. Key Recovery Agent Tasks
          2. Assigning the Key Recovery Agent Role
      3. Case Study: Planning PKI Management Roles
        1. Scenario
        2. Case Study Questions
      4. Additional Information
    11. 14. Planning and Implementing Disaster Recovery
      1. Developing Required Documentation
      2. Choosing a Backup Method
        1. Who Can Perform Backups of Certificate Services
        2. System State Backups
        3. Windows Server Backups
        4. Manual Backups
      3. Performing a System State Backup
        1. Installing Windows Server Backup
        2. Performing a System State Backup
      4. Performing Windows Server Backups
        1. Creating a Scheduled Windows Server Backup
        2. Performing a One-Time-Only Windows Server Backup
      5. Performing Manual Backups
        1. Using the Certification Authority Console
        2. Certutil Commands
      6. Restoration Procedures
        1. Determining Backup Versions
        2. Restoring a System State Backup
        3. Restoring a Windows Server Backup
          1. Creating a Windows Recovery Disc
          2. Restoring the Entire Server
        4. Restoring a Manual Backup
          1. Reinstalling Certificate Services
          2. Restoring Manual Backups
      7. Evaluating Backup Methods
        1. Hardware Failure
        2. Certificate Services Failure
        3. Server Replacement
      8. Availability Options
        1. CRL Re-Signing
        2. HSM Fail Over
        3. Clustering Certificate Services
          1. CA Clustering Guidelines
          2. Preparing the CA Cluster Environment
          3. Installing the First Node of the CA Cluster
            1. Ensure that Prerequisites Are Met
            2. Installing Certificate Services
            3. Making the CA’s Certificate and Private Key Available to the Second Node
            4. Preparing for the Installation of the Second Node
          4. Installing the Second Node of the CA Cluster
            1. Ensure Availability of the Shared Components
            2. Providing Access to the CA Certificate and Private Key
            3. Installing Certificate Services on the Second Node
          5. Configuring the CA Cluster
            1. Installing Failover Clustering
            2. Validating a Failover Cluster Configuration
            3. Creating a Failover Cluster
            4. Configuring the Failover Cluster
            5. Modifying the CRL Distribution Point for the Cluster
            6. Creating CRL Objects for the Cluster
            7. Modifying the CA Configuration in Active Directory (AD DS)
            8. Modifying the DNS Name for the Cluster in Active Directory Domain Services (AD DS)
          6. Testing CA Cluster Failover
      9. Case Study: Replacing Server Hardware
        1. Scenario
        2. Case Study Questions
      10. Additional Information
    12. 15. Issuing Certificates
      1. Certificate Enrollment Methods
      2. Choosing an Enrollment Method
        1. Choosing Among Manual Enrollment Methods
        2. Choosing Among Automatic Enrollment Methods
      3. Publishing Certificate Templates for Enrollment
      4. Performing Manual Enrollment
        1. Requesting Certificates by Running the Certificate Enrollment Wizard
          1. Preparing the Certificates Console
          2. Requesting a Certificate by Using the Certificates Console
        2. Using Web Enrollment to Request a Certificate
        3. Completing a Pending Certificate Request
        4. Submitting a Certificate Request from Network Devices and Other Platforms
      5. Performing Automatic Enrollment
        1. Automatic Certificate Request Settings
        2. Autoenrollment Settings
          1. Configuring Certificate Templates
          2. Configuring Group Policy
        3. Performing Scripted Enrollment
          1. Certreq.exe
          2. Custom Scripting
          3. Sample Scripts
      6. Credential Roaming
        1. What Is Included in the Roaming
        2. How Does CRS Use Active Directory Domain Services?
        3. Requirements
        4. Group Policy Settings
      7. Case Study: Selecting a Deployment Method
        1. Scenario
        2. Case Study Questions
      8. Additional Information
    13. 16. Creating Trust Between Organizations
      1. Methods of Creating Trust
        1. Certificate Trust Lists
        2. Common Root CAs
          1. Commercial CAs
          2. Umbrella Groups
        3. Cross Certification
        4. Bridge CAs
        5. Name Constraints
          1. Processing Name Constraints
          2. Name Formats
          3. Defining Name Constraints
        6. Basic Constraints
        7. Application Policies
          1. Determining Application Policy OIDs
          2. Defining Application Policies
        8. Certificate Policies
          1. Default Certificate Policies
          2. Custom Certificate Policies
          3. Implementing Certificate Policies
        9. Best Practices
      2. Implementing Cross Certification with Constraints
        1. Creating the Cross Certification Signing Certificate Template
        2. Publishing the Cross Certification Signing Certificate Template
        3. Implementing the Policy.inf File
        4. Acquiring a Partner’s CA Certificate
        5. Generating the Cross Certification Authority Certificate
          1. Creating the Cross Certification Authority Request File
          2. Submitting the Cross Certification Authority Request
        6. Publishing to Active Directory Domain Services
      3. Verifying Cross Certification Constraints
      4. Case Study: Trusting Certificates from Another Forest
        1. Case Study Questions
      5. Additional Information
  7. III. Deploying Application-Specific Solutions
    1. 17. Identity Lifecycle Manager 2007 Certificate Management
      1. Key Concepts
        1. Profile Templates
        2. CLM Roles
        3. Permissions
        4. Permission Assignment Locations
        5. CLM Components
      2. Planning an ILM 2007 Certificate Management Deployment
        1. Management Policies
        2. Registration Models
          1. Self-Service Registration Model
          2. Permission Requirements for the Self-Service Registration Model
          3. Manager-Initiated Registration Model
          4. Permission Requirements for the Manager-Initiated Registration Model
          5. Centralized Registration Model
          6. Permission Requirements for the Centralized Registration Model
      3. Deploying ILM 2007 Certificate Management
        1. Installation of Server
          1. Installation Requirements
            1. Hardware Requirements
            2. Software Requirements
            3. Infrastructure Requirements
          2. Preparing the Schema
          3. Performing the Installation
        2. Configuration of Server
          1. Agent Accounts
          2. Agent Certificates
          3. SQL Server Authentication
          4. SMTP Server
          5. Running the CLM Configuration Wizard
            1. Verifying the SMTP Service
            2. Enabling Kerberos Delegation of the clmWebPool Account
            3. Verifying the clmWebPool Service Principal Names
          6. Enabling the Certificate Lifecycle Manager Service
            1. Certificate Lifecycle Manager Service Functionality
            2. Certificate Lifecycle Manager Service Configuration
        3. CA Component Installation
          1. Creating a SQL Login for the CA Computer Account
          2. Verifying the SQL Service SPN
          3. Defining a Connection String at the CA
      4. Deploying a Code Signing Certificate
        1. Defining Certificate Template Permissions
        2. Creating a Profile Template
          1. Defining Profile Template Details
          2. Enrollment
            1. Assigning Permissions
            2. Defining the Management Policy
          3. Revoke Policy
            1. Assigning Permissions
            2. Defining the Management Policy
        3. Executing the Management Policies
          1. Performing an Enrollment
          2. Performing a Revocation
      5. Case Study: Contoso, Ltd.
        1. Proposed Solution
        2. Case Study Questions
      6. Best Practices
      7. Additional Information
    2. 18. Archiving Encryption Keys
      1. Roles in Key Archival
      2. The Key Archival Process
      3. The Key Recovery Process
      4. Requirements for Key Archival
        1. Defining Key Recovery Agents
          1. Deploying a Software-Based Key Recovery Agent Certificate
            1. Requesting the Key Recovery Agent Certificate
            2. Issuing the Pending Certificate
            3. Installing and Exporting the Key Recovery Agent Certificates
            4. Exporting the Certificate and Private Key
          2. Deploying a Smart Card–Based Key Recovery Agent Certificate
            1. Creating a Combined Login and Recovery Certificate Template
            2. Requesting a Custom Key Recovery Agent Certificate
            3. Installating the Key Recovery Agent Certificate
        2. Enabling a CA for Key Archival
        3. Enabling Key Archival in a Certificate Template
      5. Performing Key Recovery
        1. Using Certutil to Perform Key Recovery
        2. Performing Key Recovery with ILM 2007 Certificate Management
      6. Case Study: Lucerne Publishing
        1. Scenario
        2. Case Study Questions
      7. Best Practices
      8. Additional Information
    3. 19. Implementing SSL Encryption for Web Servers
      1. How SSL Works
      2. Certificate Requirements for SSL
      3. Choosing a Web Server Certificate Provider
      4. Placement of Web Server Certificates
        1. Single Web Server
        2. Clustered Web Servers
        3. Web Server Protected by ISA Server with Server Publishing
        4. Web Server Protected by ISA Server with Web Publishing
          1. Implementing End-to-End SSL
          2. Implementing SSL Between the Web Client and Computer Running ISA Server
      5. Choosing a Certificate Template
      6. Issuing Web Server Certificates
        1. Issuing Web Server Certificates to Domain Members
          1. Performing the Request for Windows 2000 Server and Windows Server 2003
            1. Requesting and Installing the Web Server Certificate
            2. Enabling SSL at the IIS Web Server
          2. Performing the Request for Windows Server 2008
            1. Requesting and Installing the Web Server Certificate
            2. Binding the Web Server Certificate to the Web Site
            3. Enabling SSL
        2. Issuing Web Server Certificates to Non-Forest Members
          1. Generating the Web Server Certificate Request
            1. Generating a Request for Windows 2000 and Windows Server 2003
            2. Generating a Request for Windows Server 2008
          2. Submitting the Request File
          3. Installing the Web Server Certificate at the Web Server
            1. Installing a Web Server Certificate on Windows 2000 or Windows Server 2003
            2. Installing a Web Server Certificate on Windows Server 2008
        3. Issuing Web Server Certificates to Third-Party Web Servers and Web Acceleration Devices
      7. Certificate-Based Authentication
        1. Defining Certificate Mapping
          1. One-to-One Mappings
          2. Many-to-One Mappings
          3. Combining One-to-One and Many-to-One Mappings
      8. Performing Certificate-Based Authentication
        1. Creating a Certificate Template
        2. Defining the Mapping in Active Directory Domain Services
          1. Enabling Implicit Certificate Mappings
          2. Enabling Explicit Mappings
        3. Enabling Windows Server 2003 to Use Certificate Mapping
        4. Enabling Windows Server 2008 to Use Certificate Mapping
        5. Connecting to the Web Site
      9. Case Study: The Phone Company
        1. Scenario
          1. The Customer Billing System
          2. The Benefits Web Application
        2. Case Study Questions
      10. Best Practices
      11. Additional Information
    4. 20. Encrypting File System
      1. EFS Processes
        1. How Windows Chooses an EFS Encryption Certificate
        2. Local EFS Encryption
        3. Remote Encryption
          1. Remote EFS Encryption for Windows 2000 and Windows XP Clients
          2. Remote Encryption Changes for Windows Vista
        4. EFS Decryption
        5. EFS Data Recovery
      2. One Application, Two Recovery Methods
        1. Data Recovery
          1. Defining EFS Recovery Agents
            1. Obtain an EFS Recovery Agent Certificate
            2. Designate the EFS Recovery Agent
          2. Securing the Private Keys
        2. Key Recovery
      3. Implementing EFS
        1. Enabling and Disabling EFS
          1. Enabling EFS
          2. Disabling EFS
        2. Certificate Templates for EFS Encryption
          1. EFS Recovery Agent Certificate Template
          2. Key Recovery Agent Certificate Template
          3. EFS User Certificate Template
        3. Certificate Enrollment
          1. EFS Recovery Agent and Key Recovery Agent Certificates
          2. EFS User Certificates
      4. What’s New in Windows Vista for EFS Management
      5. Case Study: Lucerne Publishing
        1. Scenario
        2. Design Requirements
        3. Proposed Solution
        4. Case Study Questions
      6. Best Practices
      7. Additional Information
    5. 21. Deploying Smart Cards
      1. Using Smart Cards in an Active Directory Environment
        1. Smart Cards and Kerberos
        2. Requirements for Smart Card Certificates
          1. Requirements Prior to Windows Vista
          2. Requirements for Windows Vista
          3. Changes in Smart Card Logon Behavior
      2. Planning Smart Card Deployment
        1. Deploying Smart Cards with Windows Vista
          1. Enrollment Agent Certificate Requirements
          2. Smart Card Certificate Template Requirements
          3. Restricting Enrollment Agents
          4. Restricting Certificate Managers
          5. Deployment Procedures
            1. Deploying the Enrollment Agent Certificate
            2. Deploying a Smart Card User Certificate
          6. Issues with the Default Deployment Model
        2. Deploying Smart Cards by Using ILM 2007 Certificate Management
          1. Additional Installation Requirements
            1. Supported Cards and Middleware
            2. Certificate Lifecycle Manager Client
            3. Smart Card Printing Station
          2. Creating a Profile Template
            1. Configuring Profile Template Details
            2. Configuring Smart Card Details
            3. Smart Card Enrollment Definition
              1. Assigning Permissions
              2. Defining the Management Policy
            4. Processing the Smart Card Enrollment
          3. Other Smart Card Lifecycle Management Options
            1. Unblocking PINs
              1. Online Unblock
              2. Offline Unblock
      3. Managing Issued Smart Cards
        1. Requiring Smart Cards for Interactive Logon
        2. Requiring Smart Cards at Specific Computers
        3. Requiring Smart Cards for Remote Access
        4. Configuring Smart Card Removal Behavior
        5. Configuring Smart Card Settings
      4. Case Study: City Power and Light
        1. Case Study Questions
      5. Best Practices
      6. Additional Information
    6. 22. Secure E-Mail
      1. Securing E-Mail
        1. Secure/Multipurpose Internet Mail Extensions (S/MIME)
          1. E-Mail Digital Signing Process
          2. E-Mail Encryption Process
        2. SSL for Internet Protocols
          1. Installing the Web Server Certificate
          2. Enabling SSL for an RFC-Based Protocol
          3. Enabling SSL in the E-Mail Applications
      2. Choosing Certification Authorities
        1. Choosing Commercial CAs
        2. Choosing Private CAs
      3. Choosing Certificate Templates
        1. A Combined Signing and Encryption Template
        2. Dual Certificates for E-Mail
          1. E-Mail Signing Certificate Template
            1. General Tab
            2. Request Handling Tab
          2. E-Mail Encryption Certificate Template
      4. Choosing Deployment Methods
        1. Software-Based Certificate Deployment
        2. Smart Card–Based Certificate Deployment
      5. Enabling Secure E-Mail
        1. Enabling Outlook
          1. Outlook 2003
          2. Outlook 2007
        2. Enabling S/MIME in OWA
        3. Sending Secure E-Mail
      6. Case Study: Adventure Works
        1. Scenario
        2. Case Study Questions
      7. Best Practices
      8. Additional Information
    7. 23. Virtual Private Networking
      1. Certificate Deployment for VPN
        1. Point-to-Point Tunneling Protocol (PPTP)
        2. Layer Two Tunneling Protocol (L2TP) with Internet Protocol Security
        3. Secure Sockets Tunneling Protocol (SSTP)
      2. Certificate Template Design
        1. User Authentication
        2. Server Authentication
        3. IPsec Endpoint Authentication
        4. SSTP Endpoint Authentication
      3. Deploying a VPN Solution
        1. Network Policy Server Configuration
          1. Install the RADIUS Server
          2. Add the RADIUS Server to Each Domain’s RAS and IAS Servers Group
          3. Define RADIUS clients
          4. Define the VPN Access Policy
          5. Enable Logging at the RADIUS Server
        2. VPN Server Configuration
        3. Create a VPN Client Connection
          1. Creating a Client Connection in Windows XP
          2. Creating a Client Connection in Windows Vista
          3. Connecting to the VPN
      4. Case Study: Lucerne Publishing
        1. Scenario
        2. Case Study Questions
      5. Best Practices
      6. Additional Information
    8. 24. Wireless Networking
      1. Threats Introduced by Wireless Networking
      2. Protecting Wireless Communications
        1. MAC Filtering
        2. Wired Equivalent Privacy
        3. Wi-Fi Protected Access (WPA) and WPA2
      3. 802.1x Authentication Types
        1. EAP-TLS Authentication
        2. PEAP Authentication
        3. How 802.1x Authentication Works
      4. Planning Certificate for 802.1x Authentication
        1. Computer Certificates for RADIUS Servers
        2. User Certificates for Clients
        3. Computer Certificates for Clients
      5. Deploying Certificates to Users and Computers
        1. RADIUS Server
        2. Client Computers
        3. Users
      6. Implementing 802.1x Authentication
        1. Configuring the RADIUS Server
          1. Install the RADIUS Server
          2. Add the RADIUS Server to Each Domain’s RAS and IAS Servers Group
          3. Define RADIUS Clients
          4. Define a Network Access Policy for Wireless Computers
          5. Define the Wireless User Remote Access Policy
        2. Configuring the Wireless Access Point
        3. Connecting to the Wireless Network
          1. Windows XP Wireless Connections
          2. Windows Vista Wireless Connections
        4. Using Group Policy to Enforce Correct Wireless Client Configuration
      7. Case Study: Margie’s Travel
        1. Scenario
        2. Case Study Questions
      8. Best Practices
      9. Additional Information
    9. 25. Document and Code Signing
      1. How Code Signing Works
      2. How Document Signing Works
      3. Certification of Signing Certificates
        1. Commercial Certification of Code Signing Certificates
        2. Corporate Certification of Code Signing and Document Signing Certificates
      4. Planning Deployment of Signing Certificates
        1. Certificate Template Design
          1. Code Signing
          2. Document Signing
        2. Planning Enrollment Methods
        3. Time Stamping Considerations
      5. Performing Code Signing
        1. Gathering the Required Tools
        2. Using SignTool.exe
        3. Visual Basic for Applications Projects
      6. Performing Document Signing
        1. Microsoft Office 2007 Documents
        2. Adobe PDF Documents
      7. Verifying the Signature
        1. Internet Explorer
        2. Validating Signed Code
        3. Microsoft Office Documents
        4. PDF Documents
      8. Case Study: Lucerne Publishing
        1. Scenario
        2. Case Study Questions
      9. Best Practices
      10. Additional Information
    10. 26. Deploying Certificates to Domain Controllers
      1. Changes in Domain Controller Certificates
        1. History of Domain Controller Certificates
        2. Enforcing Strong KDC Validation
        3. Windows Server 2008 Domain Controller Certificate Selection
      2. Deploying Domain Controller Certificates
        1. Automatic Certificate Request Settings
        2. Autoenrollment
      3. Third-Party CAs or CAs in Other Forests
        1. Add the Internal Root CA as a Trusted Root CA
        2. Add the Subordinate CA Certificates
        3. Define NTAuth Certificates
        4. Enable the SAN Extension for Certificate Requests
        5. Creating the Certificate Requests
      4. Managing Domain Controller Certificates
        1. Verifying Existing Certificates
        2. Replacing Existing Certificates
        3. Removing All Existing Certificates
      5. Case Study: Consolidated Messenger
        1. Deployment Progress
        2. Case Study Questions
      6. Best Practices
      7. Additional Information
    11. 27. Network Device Enrollment Service
      1. History of NDES and Microsoft PKI
      2. Simple Certificate Enrollment Protocol Enroll Process
      3. Implementing an NDES Server
        1. Permission Requirements
        2. CA Requirements
        3. Create the Service Account
        4. Installing the NDES Server
      4. Configuring NDES
        1. Modifying the Registry
        2. Enabling Logging
        3. Backup and Restoration
      5. Case Study: Lucerne Publishing
        1. Requirements
        2. Case Study Questions
      6. Best Practices
      7. Additional Information
    12. A. Case Study Questions and Answers
      1. Chapter 1: Cryptography Basics
      2. Chapter 2: Primer to PKI
      3. Chapter 3: Policies and PKI
      4. Chapter 4: Preparing an Active Directory Environment
      5. Chapter 5: Designing a Certification Authority Hierarchy
      6. Chapter 6: Implementing a CA Hierarchy
        1. Fabrikam Corporate Root CA
        2. Fabrikam Corporate Policy CA
        3. Fabrikam Corporate Issuing CA
      7. Chapter 7: Upgrading Your Existing Microsoft PKI
        1. Humongous Insurance Internal Root CA
        2. Humongous Insurance Internal Policy CA
        3. Humongous Insurance Internal Issuing CAs
      8. Chapter 8: Verifying and Monitoring Your Microsoft PKI
      9. CA Hierarchy Verification Questions
      10. Monitoring Questions
      11. Chapter 9: Securing a CA Hierarchy
      12. Chapter 10: Certificate Revocation
      13. Chapter 11: Certificate Validation
      14. Troubleshooting Exercise
      15. Chapter 12: Designing Certificate Templates
      16. Chapter 13: Role Separation
      17. Chapter 14: Planning and Implementing Disaster Recovery
      18. Chapter 15: Issuing Certificates
      19. Chapter 16: Creating Trust Between Organizations
      20. Chapter 17: Identity Lifecycle Manager 2007 Certificate Management
      21. Chapter 18: Archiving Encryption Keys
      22. Chapter 19: Implementing SSL Encryption for Web Servers
      23. Chapter 20: Encrypting File System
      24. Chapter 21: Deploying Smart Cards
      25. Chapter 22: Secure E-Mail
      26. Chapter 23: Virtual Private Networking
      27. Chapter 24: Wireless Networking
      28. Chapter 25: Document and Code Signing
      29. Chapter 26: Deploying Certificates to Domain Controllers
      30. Chapter 27: Network Device Enrollment Service
  8. B. About the Author
  9. Index
  10. About the Author
  11. Copyright

Product information

  • Title: Windows Server® 2008 PKI and Certificate Security
  • Author(s): Brian Komar
  • Release date: April 2008
  • Publisher(s): Microsoft Press
  • ISBN: 9780735625167