Chapter 10: Maintaining Network Health

PKI: Public Key Infrastructure.

PKI Consists of a number of elements that allow 2 parties to communicate securely without any previous
communication, through the use of a mathematical algorithm called public key cryptography.

Public Key cryptography, as the name implies, stores a piece of information called a public key for each
user/computer/etc. that is participating in a PKI.

Each user/computer/etc. also possess a private key, a piece of information that is known only to the
individual user or computer.

Shared secret key – a cryptography method in which a secret key information is known by both parties.

Certificate Authority (CA) (Root Certificate) –an entity, such as a windows server 2008 server running the
AD CS server role, that issues and manages digital certificates for use in a PKI.

Intermediate Cas

CRL- Identifies Certs that have been revoked or terminated, and the correponding user, computer,
service. Services that utilize PKI should reference the CRL to confirm that a particular certificate has not
been revoked prior to its expiration date.

Certutil.exe (Certutil): command line tool used to managae the AD CS.

NAP (Network Access Protection)

NAP includes a number of built-in enforcement methods, which defines the mechanisms that NAP can
use:

DHCP enforcement ( DHCP is the only NAP method that can be deployed in a non-AD environment, it is
also the least secure enforcement method, as a user can configure their computer with a static IP
configuration to bypass any DHCP enforcement method that is in place.

IPSec (Internet Protocol Security) enforcement

VPN (Virtual Private Netowrk) enforcement.

802.1x enforcement

Terminal Services Gateway (TS Gateway) enforcement.