CHAPTER

Planning and Maintaining a Security Infrastructure
In this chapter, you will learn how to • Understand public key infrastructure terms and concepts • Publish Active Directory and certificates • Design a public key infrastructure • Enroll and distribute certificates • Authenticate smart cards • Monitor security • Update a security infrastructure

17

In the days of old, user logon security was provided using a combination of user names and passwords. Each time a user logged on, the users credentials had to be compared against a server’s database for authentication. The problem with this arrangement is that while the user name and password identified the user, there was no way to validate the server. This opens up the potential for man-in-the-middle attacks where a hacker can impersonate the validating server and the user unknowingly passes data to the wrong location. What was needed was a way to validate both the user and the server and ensure that the information is going to the right place. Windows Server 2003 provides the tools to do just that. In this chapter, we look at the mechanisms designed to secure communication between server and client systems, namely, designing a public key infrastructure (PKI).

Planning a Public Key Infrastructure Using Certificate Services
A public key infrastructure is a collection of software, standards, and polices that are combined to control certificates and public and private keys. A PKI is comprised of several

1

MCSE Windows Server 2003 All-in-One Exam Guide

2
services and components working together to develop the PKI. Some of the key components of a PKI include the following: • Certificates A form of electronic credentials that validates users, computers, or devices on the network. A certificate is a digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key. • Certificate authorities (CAs) Entities that validate the identity of a network device or user requesting data. CAs issue and manage certificates. CAs can be either independent third parties, known as a public CA, or they can be organizations running their own certificate-issuing server software, known as private CAs. • Certificate templates Templates used to customize certificates issued by Windows Server 2003 Certificate Services. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests. • Certification Revocation List (CRL) A list of certificates that have been revoked before they have reached the certificate expiration date. Certificates are often revoked due to security concerns such as a compromised certificate. NOTE Each of the PKI elements mentioned here is discussed in more detail throughout this chapter.

Before we get into actually planning and designing a PKI, we thought it best to first review some of the terms and concepts that you will encounter when working with a PKI.

PKI in Action
The following sections discuss areas in which a PKI is normally used. Knowing what a PKI is used for gives you a better idea of whether it is needed in a particular network.

Web Security
In many environments, the Internet has obviously become critical to the daily operation of organizations of all sizes. Despite its benefit to business and the opportunity to expand business, the Internet also brings with it a vast array of security concerns. To increase security and confidence using the Web as a business tool, PKI offers the following benefits: • Server authentication With PKI, client systems have a way of validating that the server they are communicating with is indeed the intended sever. Without this information, it is possible for people to place themselves between the client and the server and intercept client data by pretending to be the server. • Client authentication On the other side of the equation, server systems need to have a method of verifying a client’s identity. PKI provides the mechanisms necessary to validate the client’s identity.

Chapter 17: Planning and Maintaining a Security Infrastructure

3
• Confidentiality PKI provides secure data transmissions using encryption strategies between the client and the server. In application, PKI works with the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol to provide secure HTTP transfers, referred to as HyperText Transport Protocol Secure (HTTPS) protocol. To take advantage of the SSL and TLS protocols, both the client system and the server require certificates issued by a mutually trusted certificate authority (CA). If the server and client have validated each other’s certificate, they can authenticate each other. Then secure communication can occur between the two parties over the Internet.

Digital Signatures
Digital signatures are the electronic equivalent of a sealed envelope and are intended to ensure that a file has not been altered in transit. Any file with a digital signature is used to verify not only the publishers of the content or file, but also to verify the content integrity at the time of download. On the network, PKI allows you to issue certificates to internal developers/contractors and allows any employee to verify the origin and integrity of downloaded applications.

PART III

Secure E-Mail
Today’s organizations rely heavily on e-mail to provide external and internal communications. Some of the information sent via e-mail is not sensitive and does not need security, but for those communications that contain sensitive data, a method is needed to secure e-mail content. PKI is a widely deployed method for securing e-mail transactions. In application, a private key is used to digitally sign outgoing e-mails and the sender’s certificate is sent with the e-mail so the recipient of the e-mail can verify the sender’s signature. In addition to message verification, PKI can encrypt e-mail messages using a public key to encrypt the message and a private key to decrypt it.

Encrypted File System
The Encrypted File System (EFS) is a file encryption technology used to store encrypted files on an NTFS volume. Data encryption is certainly not a new concept, and it plays an integral role in a system’s overall security strategy. EFS encryption, however, works only on the NTFS 5 file system used with Windows 2000/XP and Server 2003. The function of EFS is to scramble or encrypt the data on the hard disk, preventing unauthorized users from viewing the protected files. If an unauthorized user attempts to open or copy an encrypted file, he or she will receive an Access Denied error. To authorized users, however, working with encrypted files is no different that working with any other file. For instance, it is not necessary to “decrypt” a file before using it. By default on a Windows Server 2003 system, only the creator of the file and the system’s designated recovery agent can access the encrypted files. In addition to encrypting files, in Windows Server 2003, it is also possible to mark folders for encryption. This means that files created in or copied to an encrypted folder

MCSE Windows Server 2003 All-in-One Exam Guide

4
will automatically become encrypted. The folder itself, however, is not actually encrypted: anyone who has the file access permissions to the folder can open it and look at the names of the files within it. They cannot, however, open and access the files within it. EFS uses PKI technology to provide the mechanisms needed to encrypt files and for EFS file recovery. Each file that is to be encrypted using EFS creates a random key that is used to create the file. A copy of the secret key is associated with the file. When retrieving the file, EFS transparently unwraps the copy of the secret key encrypted with the user’s public key using the user’s private key. This is then used to decrypt the file in real time during file read and write operations. Similarly, a recovery agent may decrypt the file by using the private key to access the secret key.

Public and Private Keys
Discussions of PKI will certainly include mention of public and private keys. In fact, it is hard to get started without a good understanding of these and how they are associated with PKI. The term key is used for very good reason—public and private keys are used to lock (encrypt) and unlock (decrypt) data. These keys are actually long numbers, making it next to impossible for someone to access a particular key. When keys are used to secure data transmissions, the computer generates two different types of keys, a public key and a private key. The distinction between the two is as follows: • Public key A nonsecret key that forms half of a cryptographic key pair that is used with a public key algorithm. The public key is freely given out to all potential receivers. • Private key The secret half of a cryptographic key pair that is used with a public key algorithm. The private part of the public key cryptography system is never transmitted over a network. Keys can be used in two different ways to secure data communications: public key encryption and symmetric key encryption. • Public (asymmetric) key encryption uses both a private and public key to encrypt and decrypt messages. The public key is used to encrypt a message or verify a signature, and the private key is used to decrypt the message or to sign a document. Figure 17-1 provides a simplified look at the process of public key encryption. • Private (symmetric) key encryption uses a single key for both encryption and decryption. If a person possesses the key, he or she can both encrypt and decrypt messages. Unlike public keys, this single secret key cannot be shared with anyone except people who should be permitted to decrypt as well and encrypt messages. Figure 17-2 shows an example of the private key encryption method. As you might have guessed, public key encryption has a major advantage over symmetric key encryption. Because symmetric key encryption uses only a single key, it should not be used for communications over an insecure channel unless a secure channel also exists for the key to be distributed to the valid users. It only makes sense that if a secure channel exists, there is no need to encrypt communications and send them via an

Chapter 17: Planning and Maintaining a Security Infrastructure

5

Figure 17-1

Public key encryption, using both a public and private key

insecure channel. Public-key technology makes it possible through the use of multiple keys to securely transmit sensitive data via an insecure channel. PART III EXAM TIP Public key encryption allows two parties to exchange secure communications over an insecure communications network.

Certificates
Certificates are the cornerstones of the PKI. A certificate is essentially a form of electronic credentials that validates users, computers, or devices on the network. A certificate is a digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key. Certificates can provide a number of security services, including authentication, encryption, and digital signatures. • Authentication An important part of a security strategy. For authentication to happen, users are required to prove their identity to the network device or server to which they are trying to communicate. Certificates provide the means to ensure that this communication is secure and that the parties involved in the communication are who they say they are. • Encryption The process of converting something that is in a plaintext form into an unreadable form. This prevents unwanted eyes from viewing potentially sensitive data. Decryption is the process of taking the unreadable data and converting it to something that can be read. This can be thought of as locking something valuable into a strong box with a key. Using certificates, we have the ability to protect e-mail messages, files on a disk, and files being transmitted across the network.

Figure 17-2

Private key encryption, using a single key for both encryption and decryption

MCSE Windows Server 2003 All-in-One Exam Guide

6
• Digital signature A way to ensure the integrity and origin of data. Integrity involves ensuring that the data being received has not been altered since it was signed. Digital signatures also provide a method of verifying the identity of the person or entity who signed the data. This enables the important security features of integrity and nonrepudiation, which are essential for secure electronic commerce transactions. Certificates are issued for a variety roles, including securing e-mail (S/MIME), ensuring web user and web server authentication, Internet Protocol Security (IPSec), and for Transport Layer Security (TLS). To do this, each certificate must include specific information, such as the following: • A subject’s key value • Specific requester information such as an e-mail address • A specified validity period that determines the expiration date of the certificate • Certificate issuer information and the digital signature of the issuer

Certificate Stores
Certificate stores are essentially a container for certificates and their associated properties. The PKI uses five different types of certificates stores: • Personal Stores a user’s or computer’s certificates for which the related private key is available. • CA Stores the issuing and intermediate certificate authority certificates to use in the CA hierarchy. • Enterprise Trust Contains Certificate Trust Lists. These are an alternate mechanism that allows an administrator to specify a collection of trusted CAs that must verify to a self-signed CA certificate in the trusted root store. • Trusted Root in the PKI. Contains only self-signed CA certificates that are trust points

• UserDS Stores a logical view of the certificate container that is located in the Active Directory and is used to simplify access to certificate stores.

Trusts
The issue of trust is an important consideration when looking at the PKI. For instance, in a private key encryption method, the two parties exchanging data trust their shared private key. It is assumed that the private key is stored securely, and therefore, there is message integrity between the sender and receiver. The trust is built on the security of the private key. A trust built in a public key encryption method is another story altogether. Both parties each secure their own private key, while at the same time, they have to share each

Chapter 17: Planning and Maintaining a Security Infrastructure

7
other’s public key. This means that when we receive a digitally signed message, we need to be able to trust that the digital signature is from whoever claimed to make it. Trusting this public key is a critical consideration for the public key infrastructure to work. The problem is, how can a public key be implicitly trusted? There are two steps in forming this trust. The first is confirming the validity of the signature using the known public key. Using this key, it is possible to determine the integrity of the signature and ensure that the signature is mathematically valid. The problem is, even if you know the signature is mathematically valid, how do you know you used the right public key? That is, is it the public key from the other end of the communication that made the signature in the first place? It may not be. To complete the trust in a public key encryption, it is necessary to locate a certificate for the public key that can verify the key belongs to the right entity. To do this, the certificate must be issued by a certificate authority (CA) that is implicitly trusted by the receiver. If the receiver trusts a particular CA, then all certificates issued by that CA are, in turn, trusted. Once a certificate has verified the public key by a trusted CA, then the signature is trusted.

PART III

Certificate Authorities
Certificate authorities (CAs) are entities that validate user identities and that issue and manage certificates. As outlined previously, the CA provides security certificates that ensure that people are who they say they are. CAs can be either independent third parties, known as a public CA, or they can be organizations running their own certificate-issuing server software, known as private CAs.

Public CAs
Public CAs are organizations such as Verisign or Entrust, which issue publicly accessible certificates. On the Internet, many of the e-commerce sites use these types of third-party CAs for their secured web sites. Such a strategy is designed to increase consumer confidence in ensuring that the communication is secure. Public CAs are often used in the following circumstances: • If you are buying or selling products over the Internet, you can use third-party certificates to verify the transaction. • If the resources or trained personnel are not available to deploy a PKI strategy into an internal network, a public CA can be used. • If certification use is limited, public CAs have the infrastructure in place to accommodate limited use. • Third-party CAs can be used for interorganization communication as the certificates are acquired from a common third-party root authority.

MCSE Windows Server 2003 All-in-One Exam Guide

8
Private CAs
Public CAs have found considerable success when conducting transactions over the Internet; however, some organizations choose to create and manage an internal CA. While it may take more effort to create an internal CA, it also provides an organization with control over all client-issued certificates and as a side benefit, decreases cost of obtaining certificates from third-party CAs. Private CAs are often deployed under the following conditions: • An organization requires increased control over client-issued certificates. • Current infrastructure and expertise are in place to support the PKI. • An organization wishes to reduce the costs associated with obtaining third-party certificates.

Certificate Hierarchies
Windows Server 2003 uses a hierarchal CA model. This approach gives PKI a scalable and manageable architecture. In some network environments, a single server CA may be used, but often, multiple CAs are used with established parent/child relationships. This model is sometimes referred to as a rooted hierarchy because the initial server is known as the root CA. The root CA is designed to become the most trusted CA in the network’s PKI. Because of the role root CAs play on the network, they are typically protected more than their subordinate counterparts. If the root CA on a network is somehow compromised, the certificate security on the network is vulnerable. Directly below the root CA are any number of subordinate, or intermediate, CAs, which in turn can issue certificates. There is no requirement that all CAs share the same root CA parent. Figure 17-3 shows the rooted CA hierarchy. NOTE In CA lingo, a subject refers to the entity that requests a certificate or holds a certificate.

Figure 17-3

A rooted CA hierarchy, most often implemented in a Windows 2003 environment

Chapter 17: Planning and Maintaining a Security Infrastructure

9
As shown in Figure 17-3, there may be other CAs below the subordinate CA, known as issuing CAs. Having these multiple levels of CAs allows increased security for the root CA as the root can be isolated from the network. This allows the subordinate CAs to issue specific certificates to clients. EXAM TIP A rooted CA allows the root CA server to be removed from the network and secured. If the root CA is compromised, all certificates issued will need to be revoked. Many networks use a single server to act as the CA and issue certificates. However, it may be smart to use a hierarchal CA structure for many reasons, such as fault tolerance, load balancing, security, and organizational reasons. PART III

Planning the Hierarchy and Certificate Distribution
Deciding to implement the CA hierarchy is the first step; the next is to identify the type of organization to use for the hierarchy. As with any other network design, there are a few options, as described in the following sections. Certificate Authority Hierarchy by Location When designing the organization for the CA, a common design is to use geographical location. Many networks span over many locations, and a location-based hierarchy is well suited for such environments. Consider Figure 17-4, which has a head office in San Diego connected to networks in Vancouver and one in New York. Figure 17-4 shows a single subordinate CA in Vancouver and New York, but in application, it may be necessary to have additional CAs at both locations.

Figure 17-4

Hierarchal distribution of CAs

MCSE Windows Server 2003 All-in-One Exam Guide

10
Certificate Authority Hierarchy by Network Organization Many of the networks you work with will have some form of administrative structure. For example, network segments may be broken up according to function, such as accounting, customers, staff, marketing, and so on. In such a case, you can design your CA hierarchy according the overall network administrative layout. Figure 17-5 provides an example of such a strategy. As seen in Figure 17-5, the third layer of CAs allow a dedicated CA for junior accountants and senior accountants and similarly, full- and part-time staff. This strategy is beneficial in creating different templates for the different users. For example, the different CAs allow an administrator to easily set up different validity dates for certificates for fulland part-time staff. Certificate Authority Hierarchy by Usage Certificates can be issued for a number of reasons, including securing e-mail, deploying IPSec, performing smart card logon, and securing web transfer. This provides a structure by which you can design the CA hierarchy. In such a configuration, CAs will be assigned to each of these different areas. Figure 17-6 shows an example of the CA hierarchy by usage. As shown in Figure 17-6, the Server1 subordinate CA issues certificates only for e-mail and SSL requests; Server2 issues certificates for IPSec and smart card requests. Such a strategy adds an extra level of the issuance of certificates.

Figure 17-5

CA hierarchical administrative layout

Chapter 17: Planning and Maintaining a Security Infrastructure

11

PART III

Figure 17-6

CA hierarchy divided by usage

NOTE The configuration for the offline root CA is contained in a text file known as the capolicy.inf. The capolicy file must be in the system root folder before Certificate Services is installed. The configurations in the file are read during the installation of Certificate Services.

Offline CAs
One of the strategies to ensure the security of the root CA is to remove it from the network or take it offline. Doing this will ensure that the root CA cannot be compromised because if it is, all certificates issued underneath it will be compromised as well. In fact, in some organizations, the root and second-level subordinate CA are taken offline. When the decision is made to take the root, and possibly several subordinate CAs, offline, keep in mind a few important considerations. One such consideration is the physical storage of the offline CAs. The best scenario here is lock them away where only administrators have access. Another consideration is the expiration of the root certificate. Like any other certificate, it has a validity date, and this date should be the longest-issued certificate date of any certificate on the network. Finally, even when the root CA is offline, any issued certificates must still be verified against the revoked certificate entries listed in the CRL. If the root CA is offline, the CRL has to be moved to an accessible location on the network.

MCSE Windows Server 2003 All-in-One Exam Guide

12
CA Types
Before you can deploy CAs in a Windows Server 2003 environment, you need to know which types of CAs there are and what each are designed to do. When installing Certificate Services, there are four CA options from which to choose: enterprise root CA, enterprise subordinate CA, standalone root CA, and standalone subordinate CA.

Enterprise Root CAs
The enterprise root forms the foundation of the CA hierarchy. An enterprise root CA requires the use of Active Directory and assigns itself a CA certificate. Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME, authentication to a secure web server using SSL or TLS, and logging onto Windows Server 2003 domain using a smart card. When installing Certificate Services, you will be required to choose between the enterprise CAs and the standalone CAs. To help make an informed decision, here are a few points to remember about enterprise root CAs. • To install an enterprise CA, Active Directory must be used. • You must be a domain administrator or be an administrator with Write access to Active Directory to install an enterprise root CA. • The enterprise CA publishes user certificates and the Certificate Revocation List (CRL) to Active Directory. To publish certificates to Active Directory, the server on which the CA is installed must be a member of the Certificate Publishers group. • Enterprise CAs use certificate templates, and each of these templates has security permissions set in Active Directory. These permissions verify whether the certificate requester is authorized to obtain the certificate type he or she has requested. NOTE Like an enterprise root CA, the enterprise subordinate CA requires Active Directory. You use enterprise subordinate CAs when you want to take advantage of Active Directory, certificate templates, and smart card logon.

Standalone Root CAs
One of the fundamental differences between the enterprise root CAs and the standalone CAs is that the standalone root CA may or may not be a member of a domain. This means it is not necessary to use Active Directory when using a standalone root CA. If Active Directory is used, the standalone CA will use it to publish certificates and to develop the CRL lists. Standalone CAs issue certificates for purposes such as digital signatures, secure e-mail using S/MIME, and authentication to a secure web server using SSL or TLS. EXAM TIP When not connected to a domain, standalone CAs are easily taken offline and securely stored.

Chapter 17: Planning and Maintaining a Security Infrastructure

13
Consider the following before installing a standalone CA: • Standalone CAs do not require the use of Active Directory. • Certificate templates are not used. This means the certificate requester must provide identifying information in the certificate request. This information would normally be supplied in the certificate template. • No certificates can be issued for logging on to Server 2003 domain using smart cards. NOTE The standalone subordinate CA is similar to the standalone root; however, the subordinate must receive its certificate from another CA. Standalone subordinates may or may not be a member of a domain and, therefore, do not require Active Directory. EXAM TIP Standalone CAs do not support smart card logon.

PART III

Deploying Server 2003 Certificate Services
Deploying Certificate Services in a Windows 2003 environment is a straightforward process. First, thing you need to install the Certificate Services. 1. Select Start, Control Panel, and choose Add/Remove Programs. The Add Or Remove Programs dialog box opens. 2. From the Add Or Remove Programs dialog box, select the Add/Remove Windows Components option. The Windows Components Wizard opens. 3. From the Windows Components Wizard, select the box to install the Certificate Services, as shown in Figure 17-7. 4. The CA Type screen opens, as shown in Figure 17-8. Select the desired type of CA and click Next. To complete this exercise, we will use the Enterprise Root CA option. 5. In the CA Identifying Information screen, you identify the name of the CA and enter the validity period: the period of time when the certificate can be accepted as an authoritative credential. Click Next to open the Certificate Database Settings dialog box. 6. The Certificate Database Settings screen is used to identify the location of the certificate database and the associated log files. The default location is systemroot\system32\CertLog. Select a location, click Next, and the configuration of the CA will begin. At this point, you may be prompted to supply the Windows Server 2003 CD for installation files. 7. After several minutes, the Certificate Services will be installed on the local computer system.

MCSE Windows Server 2003 All-in-One Exam Guide

14

Figure 17-7

Certificate Services, installed from the Windows Components Wizard

Figure 17-8

The CA Type screen, used to determine the type of CA to install

Chapter 17: Planning and Maintaining a Security Infrastructure

15
Managing Certificate Authority
Once Certificate Services has been installed on the computer, you can manage certificates from the MMC console. To do this, the CA must be added to the MMC console. Figure 17-9 shows the MMC console with the Certification Authority snap-in. As shown in Figure 17-9, there are five areas to administer under the CA server tree: revoked certificates, issued certificates, pending requests, failed requests, and certificate templates.

Revoked Certificates
When a certificate is revoked, it is invalidated by the system before its natural expiration date and stored in the Revoked Certificates folder. To revoke a certificate, open the Issued Certificates folder, right-click the certificate you wish to revoke, and choose Revoke from the menu. You will be prompted to provide a reason why the issued certificate will be revoked. Figure 17-10 shows the Certificate Revocation dialog box. A certificate may need to be revoked for a number of reasons; most often, it is related to a security concern. Some of the reasons for revoking a certificate include these: • A subject’s private key has been compromised. • A CA’s private key has been compromised. • A certificate should not have been issued. • A change has occurred in the status of the subject holding the certificate.

PART III

Figure 17-9

Management of certification distribution using the MMC console

MCSE Windows Server 2003 All-in-One Exam Guide

16

Figure 17-10

Supplying a reason to revoke a certificate

EXAM TIP If you suspect that a certificate has been compromised, you can revoke it using the MMC console and the CA snap-in.

Issued Certificates
The Issued Certificates folder lists just that—the certificates that have been issued. When you double-click any of the issued certificates, an information dialog box opens, providing details on the issued certificate. The information dialog box contains three tabs that display information. The General tab provides quick reference on the intended purpose of the certificate, to whom the certificate is issued, who issued the certificate, when the certificate was issued, and when it expires. The Details tab, shown in Figure 17-11 shows all the details of the issued certificate, including security information, signature algorithm, serial number, and public key information. The final tab is Certification Path, which simply identifies the path to the CA.

Pending Requests
When the CA receives a request for a certificate, that certificate can either be issued immediately, or it can be held as a pending request. Requests are sometimes held as pending to give the administrator a chance to review the certificate request before issuing it. This is particularity important if the issuing CA has been configured as a standalone CA. Standalone CAs do not verify the certificate requester using Active Directory; as such, there is no way to confirm the identify of the certificate requester.

Failed Certificates
The Failed Requests folder maintains a list of the certificates that have requested a certificate but were unsuccessful. This is often a result of an administrator rejecting a certificate request from the requester.

Chapter 17: Planning and Maintaining a Security Infrastructure

17

PART III

Figure 17-11

The Details tab, used to highlight specific information of an issued certificate

Certificate Templates
Certificate templates are an important part of an enterprise CA. They are used to customize certificates issued by Certificate Services. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests. The templates are stored in Active Directory for use by every CA in the forest. Figure 17-12 shows the current certificate templates and those installed by default when the system is set up. EXAM TIP Certificate templates can be issued by an enterprise CA running only on Windows Server 2003, Enterprise Edition, or Server 2003, Datacenter Edition. When you double-click any of the templates, the Properties dialog box for that template opens, summarizing the details of that certificate template. Managing Certificate Templates The Certificate Templates folder provides the means to view the current templates, but it may be necessary to add or modify templates. To add a certificate template to be issued, right-click the Certificate Templates

MCSE Windows Server 2003 All-in-One Exam Guide

18

Figure 17-12

Installed templates, stored in the Certificate Templates folder in the MMC

folder, select New, and select the Certificate Template To Issue option. The Enable Certificate Templates dialog box opens, as shown in Figure 17-13.

Certificate Enrollment and Issuance
The process of certificate enrollment involves the entire procedure of requesting, receiving, and installing a certificate. A key part of this process, as you might imagine, is certificate issuance. Certificates can be issued in two ways: manually or automatically. The method you use depends on many factors, including the type of CA installed. In any case, when designing a certificate strategy, you need to configure the default action to take when the CA receives a certificate request. To establish these default settings, follow these steps: 1. Open the MMC console by typing mmc in the Run text box. 2. With the MMC open, add the Certificate Authority snap-in to the console. 3. In the console tree, click the name of the CA. 4. From the Action menu, select the Properties option to open the Properties dialog box for that CA. Choose the Policy Module tab, as shown in Figure 17-14.

Chapter 17: Planning and Maintaining a Security Infrastructure

19

PART III

Figure 17-13

The Enable Certificate Templates dialog box, used to add a template to the CA

5. On the Policy Module tab, click the Properties button to open the dialog box used to configure how certificate requests will be handled by default. Figure 17-15 shows this dialog box.

Figure 17-14 The Policy Module tab, providing access to configuring certificate issuance

MCSE Windows Server 2003 All-in-One Exam Guide

20

Figure 17-15

Configuring the default parameters for certificate requests

As shown in Figure 17-15, two configurable options exist for the default certificate response. The first is Set The Certificate Request Status To Pending. The administrator must explicitly issue the certificate. This setting is high on overhead because the administrator would have to review every certificate request before it is issued. The second option is Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate. In this configuration, the certificate template is read first to see if there are issues regarding issuance. If the certification template has no instructions for issuance, the certificate will be issued automatically. The administrator need not review each certificate request.

Automatic Issuance Using the Group Policy Object Editor
It is also possible to set how certificate requests will be handled using the Group Policy. The configuration for this and the options available are straightforward: 1. Open the MMC and add the Group Policy Object Editor snap-in to the console. 2. Expand the tree as follows: Local Computer Policy/Computer Configuration/ Windows Settings/Security Settings/Public Key Policies. Click the Public Key Policies folder.

Chapter 17: Planning and Maintaining a Security Infrastructure

21
3. An icon entitled Autoenrollment Settings displays in the right pane. Doubleclick it to open the Autoenrollment Settings Properties dialog box, as shown in Figure 17-16. There are a few options when configuring the autoenrollment behavior. The ability to autoenroll at all can be blocked by selecting the option, Do Not Enroll Certificates Automatically. You also have the choice, Enroll Certificates Automatically. In addition, you can configure more actions such as automatically renewing expired certificates, removing revoked certificates, and updating certificates that use templates.

Configuring Certificate Renewal
Certificates are issued with a defined lifetime in which they remain active. As such, a strategy must be in place to renew certificates as they near their expiration. User and Computer certificates can be manually renewed from the MMC console. To do this, you must add yet another snap-in to the console, Certificates, as shown in Figure 17-17. When the certificate is renewed, you have a few choices about how that renewal will affect the currently issued public and private keys. In the renewal process, you can either reuse the same public and private key, or generate a new set of keys. When renewing the certificate, best practice is to obtain a new public and private key for security reasons. Reusing the same keys over and over increases the likelihood of a compromised key. Figure 17-18 shows the renewal options for user and computers. NOTE When renewing keys for a CA, it is sometimes best to keep the same keys because issuing new ones would mean all issued certificates under that CA would be invalid. PART III

Figure 17-16 The Autoenrollment Settings Properties dialog box is used to configure certificate enrollment.

MCSE Windows Server 2003 All-in-One Exam Guide

22

Figure 17-17

The Certificate snap-in

Figure 17-18

Renewing the certificate, generating a new public and private key

Chapter 17: Planning and Maintaining a Security Infrastructure

23

PART III

Figure 17-19

Renewing a certificate for a CA using the Certification Authority snap-in

The process for renewing the certificates on a CA is slightly different. To renew the certificate, use the Certification Authority snap-in. Right-click the CA server, select All Tasks, and select the Renew CA Certificate option, as shown in Figure 17-19.

Smart Card Authentication
There is no doubt that certificates are a versatile tool—but they can’t be used to log on to a system. After all, they can be thousands of bytes long. Instead, most of us still use the traditional logon procedure using a user name and password. This has long been a security concern for administrators. Perhaps we can’t log on to the system using a certificate, but smart cards provide us with a workaround solution. A smart card is a credit card–size device that can store a certificate. The smart card can be used for storing signin passwords, public and private keys, and other personal information. Smart cards provide tamper-resistant and portable security solutions for tasks such as securing e-mail and logging on to a domain. To use a smart card, you will need a special smart card reader and you will need a certificate.

Smart Card
To issue smart cards from a central location, a smart card enrollment station is used. The smart card enrollment station is part of the enterprise CA service and uses certificate

MCSE Windows Server 2003 All-in-One Exam Guide

24
templates to determine which information to include in a certificate. Relative to smart cards, there are two user certificate templates of interest: • Smart Card Logon This template gives the smart card user the ability to authenticate to the network but cannot be used for other purposes such as securing e-mail. Smart card logon is installed by default when the CA is added to the MMC console. • Smart Card User This template provides the user with network authentication and other services such as encrypting e-mail. To issue either one of these smart card certificates, a smart card enrollment station has to be located somewhere within the organization. In addition, to operate the enrollment station, someone in the organization must be designated as the enrollment agent. Individuals can be designated enrollment agents by issuing them the Enrollment Agent certificate, which allows them to enroll on behalf of others. You should carefully consider who is designated as enrollment agents because this certificate gives them the ability to enroll for smart card certificates for any domain user, including Administrator. By default, the access permissions for the Enrollment Agent certificate are set to Domain Administrators. EXAM TIP Only the enterprise CAs can issue templates; therefore, they are the only CAs that can issue smart cards for logon. Standalone CAs cannot be used for smart card logon.

Web-Based Certificate Enrollment
Three steps are needed to get a certificate: requesting the certificate from the CA, the CA determining if you should be given the certificate, and finally, the issuing of the certificate. While the determination of the certificate is handled either manually or automatically from the server, the other two elements can be done via a web interface. To request a certificate from a CA, make sure the Certificate Services and Certificate Services Web Enrollment support are installed on the server. The process for doing this was discussed earlier in this chapter. (In short, you open the control panel, choose Add/ Remove Programs, and from within the Windows Components, select the Certificate Services to add to the system.) NOTE If you intend to create Web Enrollment support to allow clients to obtain certificates via the Web, you should install Internet Information Services (IIS) before installing Certificate Services, and Application Service Provider (ASP) pages need to be enabled. If Certificate Services is installed before IIS is installed, you will need to manually create a virtual root directory by typing certutil –vroot at the command prompt.

Chapter 17: Planning and Maintaining a Security Infrastructure

25
Once Certificate Services has been installed, client systems can request a certificate from the CA by pointing their web browser to a specific location on the server. Using Internet Explorer, type http://servername/certsrv. A default Microsoft web site will open, which allows you to request a certificate, view the status of a pending certificate, or download a pending certificate. When requesting a certificate via the web interface, you can choose between a web browser certificate, an e-mail protection certificate, or submit and advanced certificate request. The advanced option allows you to choose other types of certificates, such as a server authentication certificate, and configure the options for that certificate. NOTE If you get a 404 error when directing the client to the server’s CA, ensure that Certificate Services was installed after IIS. If not, the virtual folder for certificates needs to be created. After the certificate has been requested, you can log back on to the server and view the status of a pending certificate request. All pending certificates will be listed, and if the certificate that was requested is listed as issued, you can install that certificate right from the web site.

PART III

Planning Security Updates
Things change fast in the world of IT: one day your systems are secure, the next someone has found another chink in the armor. In such an environment, it is important that all systems be up to date in terms of security. A Windows Server 2003 system has two key utilities to help ensure that security is kept current: the Microsoft Baseline Security Analyzer (MBSA) and the Microsoft Software Update Services (SUS).

Microsoft Baseline Security Analyzer
Wouldn’t it be nice if there were a utility that scanned your systems looking for common security misconfigurations? It would be, and fortunately, there is. The Microsoft Baseline Security Analyzer was designed to be an easy-to-use utility with the ability to reveal any potential security issues. The Microsoft Baseline Security Analyzer includes a graphical and command-line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and scans for common security misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA also scans for missing security updates for Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL, Exchange, IE, and Windows Media Player. Figure 17-20 shows the MBSA.

MCSE Windows Server 2003 All-in-One Exam Guide

26

Figure 17-20

MBSA, used to scan a local or remote computer looking for potential security holes

NOTE

MBSA can be downloaded directly from the Microsoft web site.

To inspect a computer system, simply select the option Pick A Computer To Scan. Once selected, you will have the option to scan for Windows vulnerabilities, weak passwords, IIS vulnerabilities, SQL vulnerabilities, and security updates. Once you have selected the options you want, start the scan. The scan will provide a security assessment of the system and highlight any security concerns. Each security concern found will be identified with a potential solution. Figure 17-21 shows the results from a test system.

Microsoft Software Update Services
Microsoft Software Update Services (SUS) is a well-designed utility created to keep systems up to date with the latest critical updates. You can use SUS to deploy updates on single systems or to deploy updates to systems throughout the network running Windows 2000 and

Chapter 17: Planning and Maintaining a Security Infrastructure

27

PART III

Figure 17-21

MBSA, displaying the results from the security analysis

later operating systems. You can download the SUS utility from the Microsoft web site. Once installed, it will be accessible through the Administrative Tools program group. Figure 17-22 shows the SUS utility main screen. NOTE You will need to have IIS installed and an NTFS volume installed to install SUS.

To start the update process on a system, select the option, Synchronize Server. You will have the choice to synchronize the server now or schedule the synchronization. This is sometimes done to perform the security updates after hours to preserve bandwidth.

MCSE Windows Server 2003 All-in-One Exam Guide

28

Figure 17-22

The SUS utility, used to deploy security updates throughout the network

Once the process has started, updates will be downloaded from the Microsoft Windows Update Services and installed on the local machine. Figure 17-23 shows the downloading process. NOTE Clients will have to be modified on the internal network so that the Automatic Update service points to the SUS server for updating their systems. This can be done via the registry or through Group Policies. Also, downloads must be accepted by the administrator before they can be deployed. This will give the administrator a chance to test the downloads before they are deployed to the desktops.

Chapter 17: Planning and Maintaining a Security Infrastructure

29

PART III

Figure 17-23

SUS, downloading critical updates from the Microsoft Windows Update Services

Chapter Review
In this chapter, we looked at managing a PKI. The PKI is comprised of several services and components working together, including certificates, certificate authorities, certificate templates, and Certificate Revocation Lists. PKI also uses both public and private keys. The public key is a nonsecret key that forms half of a cryptographic key pair that is used with a public key algorithm. The public key is freely given out to all potential receivers. The private key is the secret half of a cryptographic key pair that is used with a public key algorithm. The private part of the public key cryptography system is never transmitted over a network. Keys can be used in two different ways to secure data communications: public key encryption and symmetric key encryption.

MCSE Windows Server 2003 All-in-One Exam Guide

30
Certificates are the cornerstones of the PKI. A certificate is essentially a form of electronic credentials that validates users, computers, or devices on the network. A certificate is a digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key. Certificate issuance is managed by certificate authorities. Certificate authorities can either be installed as a standalone CA or as an enterprise CA. CAs are typically deployed in a hierarchal fashion, with the root CA often taken offline for security reasons. CAs can be configured to issue certificates to certificate requesters automatically. Once issued, certificates sometimes need to be renewed. When they are, it is often required to generate a new public and private key for the new certificate for security reasons.

Questions
1. Your company has decide to implement an internal CA to issue certificates inside the network. You wish to use several certificate templates in the deployment of the certificates and secure e-mail transactions. Which of the following could you first install? A. Enterprise subordinate CA B. Enterprise CA C. Standalone CA D. Standalone subordinate CA 2. You have been employed by a law firm that requires secure e-mail between clients. This e-mail needs to be trusted and verified; however, all communications must pass over the Internet. Which of the following strategies would you use? A. Private Key Encryption B. Private Key Encryption with MD-5 C. Public Key Encryption D. Public Key Encryption with MD-5 3. Under which of the following conditions might a certificate be revoked? (Choose two.) A. When the validity date is exceeded B. When the subject’s private key has been compromised C. When the CA’s private key has been compromised D. When the public key has been compromised 4. You are assigning smart cards to ten users within the internal network. Five of the users from the Accounting department will require logon access and e-mail encryption capability. The other five users, from the Marketing division, do not need to send secure e-mail. How should the enrollment agent assign the certificate templates?

Chapter 17: Planning and Maintaining a Security Infrastructure

31
A. Assign the users from the Accounting department the Smartcarduser certificate and issue the Marketing users the Smartcardlogon certificate. B. Assign the users from the Accounting department the Smartcardlogon certificate and issue the Marketing users the Smartcarduser certificate. C. Assign the users from the Accounting department and the Marketing department the Smartcardlogon certificate. D. Assign the users from the Accounting department and the Marketing department the Smartcarduser certificate. 5. You are the administrator of a network that uses 15 Windows XP Professional systems and a single server. Because the network is so small, you have not installed Active Directory and the server is used mainly to provide central storage for data. Your boss has asked that you install a method to issue certificates to the internal network with the least amount of administration. Which of the following best suits your needs? A. Enterprise subordinate CA B. Enterprise CA C. Standalone CA D. Configuring static Certificate Services for each of the individual Windows XP systems 6. You have deployed Certificate Services on your network and all users will request certificates via the web interface. The name of the CA server is Server1. Which of the following is the correct URL to access the CA server? A. http://www.server1/certsrv B. http://server1/certsrv C. http://www.server1/certrequest D. http://www.server1/certsrvrequest 7. Which of the following files maintains the primary configuration of an offline root CA? A. system.log B. root.log C. c.root.inf D. capolicy.inf. 8. You have been contracted to manage a network for a small company. After reviewing the network, you discover that both the server and most of the client systems are out of date and do not have the latest security patches applied to them. All of the network computers use Windows 2000 or later and use NTFS partitions. Which of the following could you employ to keep the updates current to the client systems on the network?

PART III

MCSE Windows Server 2003 All-in-One Exam Guide

32
A. Install Microsoft Software Update Services from the Server 2003 CD and configure clients so that the Automatic Update service points to the SUS server for updating their systems. B. Download Microsoft Software Update Services from the Microsoft web site and configure clients so that the Automatic Update service points to the SUS server for updating their systems. C. Install Microsoft Software Update Services from the Server 2003 CD and create a policy to force the system to retrieve updates each time the system is booted. D. Download Microsoft Software Update Services from the Microsoft web site and create a policy to force the system to retrieve updates each time the system is booted. 9. You have recently finished installing a network using 3 Windows Server 2003 systems and 100 Windows XP Professional computers. As part of the installation, you wish to install a self-authenticating CA that can authenticate other CAs on the network. The issuing CA should be able to use Active Directory to authenticate certificate requestors and provide certificates for smart card logon. Which of the following CAs should be installed on the network? A. Enterprise root CA B. Standalone root CA C. Enterprise issuing CA D. Standalone issuing CA 10. You are a new administrator working with an unfamiliar network. You suspect that the network server may have been compromised and want to see if all security patches have been applied or if there are any configurations to the server that may be allowing someone access to the system. Which of the following could you do to discover potential security issues on the server? A. Download and run the Microsoft Baseline Security Analyzer (MBSA) from the Microsoft web site. B. Download and run the Microsoft Security Assessment Analyzer (MSAA) from the Microsoft web site. C. Install and run the Microsoft Baseline Security Analyzer (MBSA) from the Server 2003 CD. D. Install and run the Microsoft Security Assessment Analyzer (MSAA) from the Server 2003 CD.

Chapter 17: Planning and Maintaining a Security Infrastructure

33
Answers
1. B. Enterprise CAs use certificate templates, whereas standalone CAs do not. 2. C. Public key encryption uses both a private and public key to encrypt and decrypt messages. The public key is used to encrypt a message or verify a signature, and the private key is used to decrypt the message or to sign a document. Only the public key is sent over the insecure network and not each of the private keys. Public-key technology makes it possible through the use of multiple keys to securely transmit sensitive data via an insecure channel. 3. B and C. If it is assumed that the subject’s private key or the CA’s private key has been compromised, the certificate should be revoked. 4. A. Assigning the users from the Accounting department the Smartcarduser certificate for their smart cards will allow them to send encrypted e-mail. Assigning the members of the marketing department with the Smartcardlogon certificate will not enable them to use secure e-mail transactions. 5. C. Because the network does not use Active Directory, only a standalone CA can be installed. 6. B. When requesting or installing certificates via a web interface, you need to direct the client systems to the certsrv location on the CA server. The correct syntax for this is http://servername/certsrv. 7. D. The configuration for the offline root CA is contained in a text file known as the capolicy.inf. The capolicy file must be in the systemroot folder before Certificate Services is installed. The configurations in the file are read during the installation of Certificate Services. 8. B. The SUS utility is free for download from the Microsoft web site and the Automatic Update service and client systems can be configured to point to the SUS server for updating their systems. 9. A. The creation of a CA hierarchy requires a root CA, and in this case, the enterprise root CA is required because it uses Active Directory to identify network entities that request a certificate. Root CAs are able to self-assign digital certificates. 10. A. The Microsoft Baseline Security Analyzer (MBSA) can be downloaded from the Microsoft web site and performs security analysis of a local or remote system. Once completed, the scan provides a security assessment of the system and highlights any security concerns. Each security concern found is identified with a potential solution. PART III

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times