mcse exam 70-293 planning and maintaining a windows server 2003 network infrastructure phần 9 ppt

Public Key Infrastructure PKI is the method of choice for handling authentication issuesin large enterprise-level organizations today.Windows Server 2003 includes the tools youneed to cr

Planning a Change and Configuration

Management Framework

Secedit is used at the command prompt to automate security configuration tasks.Local Security Policy is used to configure security policies on a nondomaincontroller.These policies apply only to the local machine

Security templates are used to configure security policies according to presetdefinitions and can be imported into Group Policy

The Security Settings extension to Group Policy is used to configure security on

an OU, a site, or a domain

Planning a Security Update Infrastructure

MBSA scans for security vulnerabilities in the operating system and otherMicrosoft components, including IIS, Exchange Server, SQL Server, InternetExplorer, and Windows Media Player

The command-line program for running MBSA is mbsacli.exe

MBSA gives administrators a report after a scan has been completed.This reportexplains what security issues were discovered and how to correct them

Microsoft SUS is used to apply security updates from a centralized locationwithin the LAN, giving administrators more control and providing more efficientdownloading of updates

Q: I have a legacy application that requires anonymous access, and some users cannotaccess the application.What can I do?

A: It is possible that your application requires you to grant access to the Anonymous Usersgroup, which is not part of the Everyone group If you need to grant access to theAnonymous group, you must explicitly add the Anonymous Logon security group andits permissions

Q: I have multiple domains that need access to resources located in other domains Howcan this be set up?

A: If users in one domain need access to resources in another domain within the sameforest, you do not need to do anything special.This is because, by default, a two-waytransitive trust exists between the root domains of every domain tree in the forest sousers in any domain in the forest can access resources in any other domain in that forest(if they have the proper permissions) However, to speed up the authentication processbetween domains, you can create a shortcut trust If the users in one domain needaccess to resources in a domain that is in a different forest, you can either create a foresttrust between the two forests (which is transitive and will allow all domains in eachforest to access all domains in the other) or you can create an external nontransitivetrust directly between the two domains

Q: I want to keep my domain Administrator account under wraps for security reasons

What can I do to accomplish this?

A: You can disable the built-in Administrator account, since all hackers know the defaultaccount name and that is half the information they need to take control of your server

Then you can give administrative privileges to another account.When theAdministrator account is disabled, it can still be used in Safe Mode for troubleshootingand repairing problems Alternatively, you can rename the built-in Administratoraccount so hackers won’t be able to recognize it so easily.You should not log on asAdministrator for performing everyday tasks Instead, use the Run as command whenyou need to perform administrative tasks

Exam Objectives Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, aredesigned to both measure your understanding of the Exam Objectives presented in thischapter, and to assist you with real-life implementation of these concepts You will alsogain access to thousands of other FAQs at ITFAQnet.com

Q: I am trying to audit folder access by a particular user, and I cannot see any information

in the event log.What could be the problem?

A: Although you can set other types of auditing and they will start immediately, when youwant to audit access to objects such as folders, object auditing must be enabled.Thenyou need to set auditing properties on the object you want to audit (in this case, thefolder).To enable object auditing, edit Group Policy for the local computer or thedomain policy In the left pane of the GPO Editor, click Computer Configuration |Windows Settings | Security Settings | Local Policies | Audit Policies and in the rightpane, double-click Enable object auditing Then select to audit successes, failures, orboth

Q: I need to apply password policies to all clients How can I do this?

A: Password policies are configured in the Security Settings | Account Policies node ofGroup Policy on a local or domain GPO Password policies cannot be set at the site or

OU level.You can configure Group Policy to enforce password history, set a maximumand minimum password age, set a minimum password length, enforce complexityrequirements, or enable storage of passwords using reversible encryption.The lattershould be done only if necessary for compatibility purposes, since it decreases securityinstead of increasing it

Q: How can I centrally manage security and provide updates for my client machines?

A: If client computers are running Windows XP,Windows 2000 Professional or Server, orWindows Server 2003, you can use the Microsoft Baseline Security Analyzer (MBSA)

to scan for security problems and use a Microsoft Software Update Services (SUS)server to apply security updates Both of these tools can be downloaded from theMicrosoft Web site SUS consists of two parts: the SUS server component and the clientAutomatic Update feature.The SUS server component synchronizes with the WindowsUpdate site and downloads critical updates, security updates, and security rollups to theSUS server Client machines need the Automatic Update feature installed so they canconnect to the SUS server and download the updates that you have approved for distri-bution

Q: I’ve just installed a WAP on our company network so employees can roam with theirlaptops and stay connected to the network (for example, when they attend meetings inconference rooms) Is there anything I need to be aware of in regard to security issues?

A: Wireless networking is inherently less secure than traditional wired networks becausedata is transmitted via radio frequency (RF) signals, which are “out there in the air,”vulnerable to capture by anyone who is within range and has the proper equipment.Although you might think “within range” means within the 300 feet or so that wirelessmanufacturers specify for their devices, a hacker with a high-gain Yagi antenna canconnect to your network from much farther away.This situation is exacerbated by the

fact that default settings for most WAPs leave the network wide open, with SSIDbroadcasting enabled and WEP disabled Even if you have turned off SSID broadcastingand enabled WEP, that doesn’t mean you’re safe A hacker can still use commonly avail-able tools to capture packets sent between legitimate users and determine the SSIDfrom them.Then they can break WEP encryption, which has numerous vulnerabilities,using WEPCrack or other hacker tools It is best to treat a wireless network as anuntrusted network; however, you can make it more secure by using technologies such

as 802.1x and 802.11i, by incorporating other mechanisms such as MAC filtering alongwith WEP, and by implementing secure authentication methods such as RADIUS/IASand using higher-level protocols such as IPSec to protect wireless traffic

Planning and Implementing Active Directory Security

1 You have instituted new security policies for the IT department One important rule

is to never log on as Administrator unless it is absolutely necessary.To enhance rity, you want everyone to use their regular user accounts for everyday tasks so youcan maintain security as much as possible A junior administrator comes to you andsays he does not wish to log on to the server with an administrative account, but heneeds to use a program that requires administrative privileges.What can he do?

secu-A If running the program requires administrative privileges, he cannot run it unless

he logs off and logs back on as Administrator

B He can open the Computer Management console and use the Set passwordoption

C He can right-click the program he wants to run, select Properties, click theAdvanced button, and configure the program to run without administrative privi-leges

D He can right-click the program, choose the Run as command, and enter theAdministrator account name and password

Self Test

A Quick Answer Key follows the Self Test questions For complete questions, answers,and explanations to the Self Test questions in this chapter as well as the otherchapters in this book, see the Self Test Appendix

2 You have been hired as the network administrator for a small law firm.The first thingyou want to do when you take over the job is increase the security on the network.You evaluate the current security level and find it lacking.You decide that you need

to secure account passwords using strong encryption on domain controllers.Whichutility should you use?

A System Key Utility

net-A Discretionary access control list

B System access control list

C Dynamic access control list

D Ownership information

4 You are attempting to troubleshoot some problems with access that you think can betraced back to membership in multiple groups.You want to ensure that all administra-tive accounts are able to perform the tasks they need to accomplish, but you want toremove the built-in accounts from all groups to which they’ve been added by anotheradministrator, and give them only the access they had by default.You are a little con-fused because you know that the built-in accounts already belong to some groups atinstallation, and you don’t want to remove them from groups they are supposed tobelong to.To which groups does the Domain Administrator account belong inWindows Server 2003 by default? (Select all that apply.)

A Schema Admins

B Enterprise Admins

C Group Policy Creator Owners

D Backup Operators

Planning and Implementing Wireless Security

5 You want to allow wireless clients the ability to change their passwords after theyauthenticate on the network.Which method of authentication should you implementfor these clients?

A SSID password

B SSID network name

C Domain Administrator password

D Domain Administrator account should be renamed

7 You have a number of users who need to be able to roam through the building withtheir laptop computers and still stay connected to the network Because of the nature

of their work, it is important that they have relatively fast access for transferring a lot

of very large data files over the network.You need to implement a wireless networkthat can connect devices up to 54 Mbps and a minimum of 24 Mbps.Which IEEEstandard should you choose?

A 802.15

B 802.11a

C 802.11b

D 802.1x

8 You have hired a consultant to help set up wireless access points on your network Hetells you that you should turn on WEP for the wireless network to help protect itfrom intruders.You tell him that you have heard that WEP has many flaws and youthink additional security measures should be implemented He assures you that WEPworks fine.What do you tell him are some of the problems with WEP?

A WEP does not use encryption

B WEP uses a short (24 bit) initialization vector (IV)

C WEP can use only a 40-bit key

D WEP uses a public key algorithm

Monitoring and Optimizing Security

9 Your junior administrator wants to change the name of a user account, but he is ried that if he does so, the user will have problems accessing resources that she hadpreviously been given permissions for.The administrator doesn’t want to need to re-create all the group memberships for the newly named account.You tell him there is

wor-no need to worry; he can go ahead and change the name, and all the account ties will remain intact.What enables an account to retain its password, profile, groupmembership, user rights, and membership information?

proper-A Group membership of the account

B Domain the account belongs as a member

C Password encryption method

D Security identifier (SID)

10 You suspect that one of your users has been trying to access data in a folder to which

he is not supposed to have permission.You are trying to set auditing on this folder soyou can see if there are any failed events in the log indicating that the user did try toopen the folder.You enable object auditing in the domain’s Group Policy Object.However, when you go to add this user to be audited for access to the folder, you findthat the folder’s property pages do not contain a Security tab.What could be theproblem?

A Auditing is not set via the Security tab for folders because they don’t have such atab

B You cannot audit folder access for a particular user

C The folder is not on an NTFS partition

D You must share the folder before you can audit it

Planning a Change and Configuration Management Framework

11 You need to configure Kerberos policies because you want to force user logon tions.You go to the computer of the user on whom you want to enforce these poli-cies and access the Local Security Policy However, in the GPO Editor, you cannotfind Kerberos policies in the Security Settings node under Computer Configuration,under Windows Settings.What is the problem?

restric-A You are looking in the wrong section; Kerberos policies are located in the UserConfiguration node

B You cannot set Kerberos policies through the Local Security Policy console

C You must first raise the domain functional level before Kerberos can be used andthis option will appear in the GPO

D Another administrator has deleted the Kerberos policies node from the GPO

12 You have been analyzing all of your security configuration information as part of anew project that requires you to provide a detailed report on your network’s security

to management.Toward that end, you need to evaluate the security database test.sdb atthe command prompt.What command can you use to do this?

A secedit /validate test.sdb

B secedit /analyze test.sdb

C secedit /configure test.sdb

D secedit /export test.sdb

13 You want to set up auditing on several folders that contain important and sensitiveinformation.There are other folders within the specified folders that contain less sen-sitive information, so you don’t want to audit them, because you want to put as littleoverhead burden on the network as you can.What happens to subfolders and fileswithin a parent folder if auditing has been enabled?

A Subfolders only are audited

B Files only are audited; special access must be turned on for the folders to beaudited

C Subfolders and files are audited

D No auditing is performed

14 A parent folder has auditing enabled.Two folders, Applications and Phone Listings, arelisted under this parent folder.You need to have the Phone Listings folder audited butnot the Applications folder How can this be accomplished?

A It cannot; all subfolders are audited when the parent folder has auditing enabled

B Right-click the Applications folder, and click the Properties tab, select the Security tab, and click Advanced.Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects Include these with entries explicitly defined here

C Right-click the Phone Listings folder, click the Properties tab, select the Security tab, and click Advanced Then select the Auditing tab and clear the check box that is labeled Inherit from parent the auditing entries that apply to child objects Audit entries defined here.

D Right-click the Phone Listings folder, click the Security tab, and click Advanced.Then select the Auditing tab and clear the check box that is labeled

Inherit from parent the auditing entries that apply to child objects Include these with entries explicitly defined here option.

Planning a Security Update Infrastructure

15 You need to install the Microsoft Software Update Services (SUS) within your

domain to update security information on client computers.What are the minimumrequirements that you should use for hardware for the server?

A Pentium III, 256MB RAM, NTFS with a minimum of 50MB for the installationfolder and 6GB for SUS updates and Active Directory installed

B Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installationfolder and 6GB for SUS updates without Active Directory installed

C Pentium III, 256MB RAM, NTFS with a minimum of 25MB for the installationfolder and 6GB for SUS updates without Active Directory installed

D Pentium III, 512MB RAM, NTFS with a minimum of 50MB for the installationfolder and 5GB for SUS updates and Active Directory installed

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in thischapter as well as the other chapters in this book, see the Self Test Appendix

Planning, Implementing, and Maintaining a Public Key Infrastructure

Exam Objectives in this Chapter:

6 Planning, Implementing, and Maintaining Security

Infrastructure

6.2 Plan a public key infrastructure (PKI) that uses Certificate

Services

6.2.1 Identify the appropriate type of certificate authority to

support certificate issuance requirements

6.1 Configure Active Directory directory service for certificate

publication

6.2.2 Plan the enrollment and distribution of certificates

6.2.3 Plan for the use of smart cards for authentication

Chapter 12

MCSE 70-293

Summary of Exam ObjectivesExam Objectives Fast TrackExam Objectives Frequently Asked QuestionsSelf Test

Self Test Quick Answer Key

Public Key Infrastructure (PKI) is the method of choice for handling authentication issues

in large enterprise-level organizations today.Windows Server 2003 includes the tools youneed to create a PKI for your company and issue digital certificates to users, computers, andapplications.This chapter addresses the complex issues involved in planning a certificate-based PKI.We’ll provide an overview of the basic terminology and concepts relating to thepublic key infrastructure, and you’ll learn about public key cryptography and how it is used

to authenticate the identity of users, computers, and applications and services.We’ll discussthe role of digital certificates and the different types of certificates; user, machine, and appli-cation certificates

You’ll learn about certification authorities (CAs), the servers that issue certificates,including both public CAs and private CAs such as the ones you can implement on yourown network using Windows Server 2003’s certificate services Next, we’ll discuss the CAhierarchy and how root CAs and subordinate CAs act together to provide for your organi-zation’s certificate needs.You’ll find out how the Microsoft certificate services work, andwe’ll walk you through the steps involved in implementing one or more certificationauthorities based on the needs of the organization.You’ll learn to determine the appropriate

CA type – enterprise or stand-alone CA – for a given situation and how to plan the CAhierarchy and provide for security of your CAs.We’ll show you how to plan for enrollmentand distribution of certificates, including the use of certificate requests, role-based adminis-tration, and auto-enrollment deployment

Next, we’ll discuss how to implement the use of smart cards for authentication withinthe PKI.You’ll learn what smart cards are and how smart card authentication works, andwe’ll show you how to deploy smart card logon on your network.We’ll discuss smart cardreaders and show you how to set up a smart card enrollment station Finally, we’ll discussthe procedures for using smart cards to log on to Windows, for remote access and VPNs,and to log on to a terminal server

Planning a Windows Server 2003

Certificate-Based PKI

Computer networks have evolved in recent years to enable an unprecedented sharing ofinformation between individuals, corporations, and even national governments.The need toprotect this information has also evolved, and network security has consequently become anessential concern of most system administrators Even in smaller organizations, the basicgoal of preventing unauthorized access while still enabling legitimate information to flowsmoothly requires the use of more and more advanced technology

In the mid-1990s, Microsoft began developing what was to become a comprehensivesecurity system of authentication protocols and technology based on already developedcryptography standards known as Public Key Infrastructure (PKI).With the release ofWindows 2000 Server, Microsoft used various existing standards to create the first

Windows-proprietary PKI – one that could be implemented completely without usingthird-party companies.Windows Server 2003 expands and improves on that original design

in several significant ways, which we’ll discuss later in this chapter

Understanding Public Key Infrastructure

To understand how a PKI works, you first need to understand what it is supposed to do

The goals of your infrastructure should include the following:

cer-2003 is taken care of automatically by the operating system and is done behind the scenes

The first goal, proper authentication, means that you can be highly certain that an entity

such as a user or a computer is indeed the entity that he, she, or it is claiming to be.Think

of a bank If you wanted to cash a large check, the teller will more than likely ask for someidentification If you present the teller with a driver’s license and the picture on it matchesyour face, the teller can be highly certain that you are that person – that is, if the tellertrusts the validity of the license itself Because the driver’s license is issued by a governmentagency – a trusted third party – the teller is more likely to accept it as valid proof of youridentity than if you presented an employee ID card issued by a small company that theteller has never heard of As you can see, trust and authentication work hand in hand

When transferring data across a network, confidentiality ensures that the data cannot be

viewed and understood by any third party.The data might be anything from an e-mail sage to a database of social security numbers In the past twenty years, more effort has beenspent trying to achieve the goal of data confidentiality than perhaps all the others com-bined In fact, the entire scientific field of cryptology is devoted to ensuring confidentiality(as well as all the other PKI goals) Cryptology has even claimed a place in Hollywood –

mes-the movie Sneakers is just one example.

NOTE

Cryptography refers to the process of encrypting data; cryptanalysis is the process

of decrypting, or “cracking,” cryptographic code Together, the two make up the

science of cryptology.

As important as confidentiality is, however, the importance of network data integrity

should not be underestimated Consider the extreme implications of a patient’s medicalrecords being intercepted during transmission and then maliciously or accidentally alteredbefore being sent on to their destination Integrity gives confidence to a recipient that datahas arrived in its original form and hasn’t been changed or edited

Finally, we come to non-repudiation A bit more obscure than the other goals,

non-repu-diation enables you to prove that a particular entity sent a particular piece of data It isimpossible for the entity to deny having sent it It becomes extremely difficult for anattacker to masquerade as a legitimate user and then send malevolent data across the net-work Non-repudiation is related to, but separate from, authentication

Public Key Cryptography

The history of general cryptography almost certainly dates back to almost 2000 B.C whenRoman and Greek statesmen used simple alphabet-shifting algorithms to keep governmentcommunication private Although complexity increased, not much changed until the 1970s,when the National Security Agency (NSA) worked with Dr Horst Feistel to establish theData Encryption Standard (DES) and Whitfield Diffie and Martin Hellman introduced thefirst Public Key Cryptography Standard (PKCS).Windows Server 2003 still uses Diffie-Hellman (DH) algorithms for Secure Sockets Layer (SSL),Transport Layer Security (TLS),and IP Security (IPSec)

DH algorithms are known collectively as shared secret key cryptographies, also known as

symmetric key encryption Say you have two users, Greg and Matt, who want to cate privately.With DH, Greg and Matt each generate a random number Each of thesenumbers is known only to the person who generated it Part one of the DH functionchanges each secret number into a non-secret, or public, number Greg and Matt nowexchange the public numbers and then enter them into part two of the DH function.Thisresults in a private key – one that is identical to both users Using advanced mathematics,this shared secret key can be decrypted only by someone with access to one of the originalrandom numbers As long as Greg and Matt keep the original numbers hidden, the sharedsecret key cannot be reversed

communi-Another major force in modern cryptography came about in the late 1970s RSA Labs,founded by Ronald Rivest, Adi Shamir, and Leonard Adleman, furthered the concept of keycryptography by developing a technology of key pairs, where plaintext that is encrypted byone key can only be decrypted by the other matching key.Windows Server 2003 uses RSAtechnology in its various forms extensively for such things as Kerberos authentication andS/MIME.The theory goes something like this:Two users, Dave and Dixine, wish to com-municate privately Dave and Dixine each own a key pair consisting of a public key and aprivate key If Dave wants Dixine to send him an encrypted message, he first transmits hispublic key to Dixine She then uses Dave’s public key to encrypt the message

Fundamentally, since Dave’s public key was used to encrypt, only Dave’s private key can beused to decrypt.When he receives the message, only he is able to read it Security is main-

tained because only public keys are transmitted – the private keys are kept secret and areknown only to their owners Figure 12.1 illustrates the process.

(where they are double encrypted by Microsoft’s Data Protection API, or DPAPI)

Although a copy of the public keys is kept in the registry, and can even be kept inActive Directory, the private keys are vulnerable to deletion If you delete a userprofile, the private keys will be lost!

RSA can also be used to create “digital signatures” (see Figure 12.2 below) In thecommunication described above, a public key was used to encrypt a message and the corre-sponding private key was used to decrypt If you invert the process, a private key can beused to encrypt and the matching public key to decrypt.This is useful, for example, if youwant people to know that a document you wrote is really yours If you encrypt the docu-

Figure 12.1 Public/Private Key Data Exchange

Data Exchange Using Public/Private Key Pairs

Dave sends hispublic key to DixineGoal: Dixine wants to send a secret message to Dave

ment using your private key, then only your public key can decrypt it If people use yourpublic key to read the document and they are successful, they can be certain that it was

“signed” by your private key and is therefore authentic

Figure 12.2 Digital Signatures

Dave

Dave uses Dixine'spublic key to decryptthe signature

Step 2:

Dixine sends the signedmessage and her publickey to Dave

Modern Cryptography 101

Thanks to two mathematical concepts, prime number theory and modulo algebra,most of today’s cryptography encryption standards are considered intractable –that is, they are unbreakable with current technology in a reasonable amount oftime For example, it might take 300 linked computers more than 1000 years todecrypt a message Of course, quantum computing is expected to someday changeall that, making calculations exponentially faster and rendering all current crypto-graphic algorithms useless – but don’t worry about that for now

First, an explanation of the modulo operator Think about elementary school

where you first learned to do division You learned that 19/5 equals 3 with aremainder of 4 You also probably concentrated on the 3 as the important number.Now, however, you get to look at the remainder When you take the modulus oftwo numbers, the result is the remainder; therefore, 19 mod 5 equals 4 Similarly,

24 mod 5 also equals 4 (can you see why?) Finally, you can conclude that 19 and

24 are congruent in modulo 4 So how does this relate to cryptography and primenumbers?

Continued

The Function of the PKI

The primary function of the PKI is to address the need for privacy throughout a network

For the administrator, there are many areas that need to be secured Internal and externalauthentication, encryption of stored and transmitted files, and e-mail privacy are just a fewexamples.The infrastructure that Windows Server 2003 provides links many different publickey technologies to give the IT administrator the power necessary to maintain a secure net-work

Most of the functionality of a Windows Server 2003-based PKI comes from a few cial components, which are described below Although there are several third-party vendors,such as VeriSign (www.verisign.com) that offer similar technologies and components, usingWindows Server 2003 can be a less-costly and easier-to-implement option – especially forsmall- and medium-sized companies

cru-Components of the PKI

Properly planning for and deploying a PKI requires familiarity with a number of nents, including but not limited to the following:

In the following sections, we will discuss each of these in more detail

The idea is to take a message and represent it by using a sequence of bers Call the sequence xi What you need to do is find three numbers that makethe following modulo equation possible: (xe)d mod y = x

num-The first two numbers, e and d, are a pair and are completely interchangeable

The third number, y, is a product of two very large prime numbers (the larger theprimes, the more secure the encryption) Prime number theory is too complex for anin-depth discussion here, but in a nutshell, remember that a prime number is onlydivisible by the number 1 and itself This gives each prime number “uniqueness.”

After you have found these numbers (although we won’t go into howbecause this is the really deep mathematical part), the encryption key becomes thepair “e, y” and the decryption key becomes the pair “d, y.” Now it doesn’t matterwhich key you decide to make public and which key you make private, becausethey’re interchangeable It’s a good thing that Windows Server 2003 does all thedifficult work for us!

Understanding Digital Certificates

In our previous discussion of public and private key pairs, two users wanted to exchangeconfidential information and did so by having one user encrypt the data with the otheruser’s public key.We then discussed digital signatures, where the sending user “signs” the

PKI Enhancements in Windows Server 2003

Windows Server 2003 introduces many new enhancements that allow for a moreeasily implemented PKI solution The following list items include the major high-lights:

■ Auto-enrollment for Users Windows 2000 first introduced the

con-cept of auto-enrollment for a PKI, but it was limited in scope tomachine certificates Windows Server 2003 now enables the automaticrequesting and issuing of user certificates as well

■ Key Archival and Recovery Exchange Server 2000 was the first

Microsoft product to employ the capability to recover lost keys, butWindows Server 2003 now enables the retrieval of encryption privatekeys This eliminates the need to completely reconstruct a user’s keypairs

■ Delta Certificate Revocation Lists (Delta CRLs) Delta lists enable new

additions to a CRL to be published without the need to publish theentire CRL again Much like an incremental backup in theory, thisadvancement helps optimize network speed and simplifies the distribu-tion of CRLs

■ Triple DES and Advanced Encryption Standard (AES) Support With

Windows Server 2003, Microsoft has adopted more components of thestandard PKI endorsed by many organizations The acceptance of 3-DES, or triple DES, in particular has been greatly anticipated by manycryptography experts AES is still a relatively new standard, but possiblyrepresents the future of encryption

■ Qualified Subordination When linking an outside organization’s

certi-fication authority (CA) structure with your own, trust issues areparamount New advancements enable the limiting of trust chains andenable the restriction of certificate types acceptable when issued by anexternal authority

■ Version 2 Certificate Templates Windows Server 2003 Enterprise

Edition and Windows Server 2003 Datacenter Edition provide manyenhancements to the certificate templates found in Windows Server

2003 Standard Edition Delta CRLs, user certificate auto-enrollment,and key archival/recovery are just some of the important enhancementsthat version 2 templates have

data by using his or her private key Did you notice the security vulnerability in thesemethods?

In this type of scenario, there is nothing to prevent an attacker from intercepting thedata mid-stream and replacing the original signature with his or her own using of coursehis or her own private key.The attacker would then forward the replacement public key tothe unsuspecting party In other words, even though the data is signed, how can you be sure

of who signed it? The answer in the Windows PKI is the certificate

Think of a certificate as a small and portable combination safe.The primary purpose ofthe safe is to hold a public key (although quite a bit of other information is also heldthere) Someone you trust must hold the combination to the safe – that trust is the basis forthe entire PKI system If I am a user and want to send you my public key so that you canencrypt some data to send back to me, I can just sign the data myself, but I am then vul-nerable to the attack mentioned above However, if I allow a trusted third-party entity totake my public key (which I don’t mind because they’re trustworthy), lock it away in thesafe, and then send the safe to you, you can ask the trusted party for the combination

When you open the safe, you can be certain that the public key and all other informationinside really belongs to me, because the safe came from a trustworthy source.The “safe” isreally nothing more than a digital signature, except that the signature comes from a univer-sally trusted third party and not from me.The main purpose of certificates, then, is to facili-tate the secure transfer of keys across an insecure network Figure 12.3 shows the properties

of a Windows certificate Notice that the highlighted public key is only part of the certificate

Figure 12.3 A Windows Server 2003 Certificate

Of the three general types of certificates found in a Windows PKI, the user certificate is

per-haps the most common User certificates are certificates that enable the user to do thing that would not otherwise be allowed.The Enrollment Agent certificate is one

some-example.Without it, even an administrator is not able to enroll smart cards and configurethem properly at an enrollment station Under Windows Server 2003, required user certifi-cates can be requested automatically by the client and subsequently issued by a certificationauthority (discussed below) with no user intervention necessary

Machine Certificates

Also known as computer certificates, machine certificates (as the name implies) give the

system – instead of the user – the capability to do something out of the ordinary.The mainpurpose for machine certificates is authentication, both client-side and server-side As statedearlier, certificates are the main vehicle by which public keys are exchanged in a PKI.Machine certificates are mainly involved with these behind-the-scenes exchanges and arenormally overseen by the operating system Machine certificates have been able to takeadvantage of Windows’ auto-enrollment feature since Windows 2000 Server was intro-duced.We will discuss auto-enrollment later in this chapter

Application Certificates

The term application certificate refers to any certificate that is used with a specific

PKI-enabled application Examples include IPSec and S/MIME encryption for e-mail

Applications that need certificates are generally configured to automatically request themand are then placed in a waiting status until the required certificate arrives Dependingupon the application, the network administrator or even the user might have the capability

to change or even delete certificate requests issued by the application

Understanding Certification Authorities

Certificates are a way to transfer keys securely across an insecure network If any arbitraryuser were allowed to issue certificates, it would be no different from that user simplysigning the data For a certificate to be of any use, it must be issued by a trusted entity – an

entity that both the sender and receiver trust Such a trusted entity is known as a certification authority (CA).Third-party CAs such as VeriSign or Entrust can be trusted because they are

EXAM

70-293

OBJECTIVE

6.2.1

highly visible and their public keys are well known to the IT community.When you areconfident that you hold a true public key for a CA, and that public key properly decrypts acertificate, you are then certain that the certificate was digitally signed by the CA and noone else Only then can you be positive that the public key contained inside the certificate

is valid and safe

In a third-party, or external PKI, it is up to the third-party CA to positively verify theidentity of anyone requesting a certificate from it Beginning with Windows 2000,

Microsoft has allowed the creation of a trusted internal CA – possibly eliminating the need

for an external third party.With a Windows Server 2003 CA, the CA verifies the identity ofthe user requesting a certificate by checking that user’s authentication credentials (usingKerberos or NTLM) If the credentials of the requesting user check out, a certificate isissued to the user.When the user needs to transmit his or her public key to another user orapplication, the certificate is used to prove to the receiver that the public key inside can beused safely

In the analogy we used earlier, the state driver’s licensing agency is trusted because it isknown that the agency requires proof of identity before issuing a driver’s license In thesame way, users can trust the certification authority because they know it verifies theauthentication credentials before issuing a certificate

CA Hierarchy

For a very small organization, it might be possible under Windows Server 2003 for you touse only one CA for all PKI functions However, for larger groups, Microsoft outlines athree-tier hierarchical structure starting at the top with a root CA, moving downward to amid-level CA, and finally an issuing-level CA Both the mid-level CA and issuing-level CAare known as subordinate CAs

Although there are certain advantages to using both external and internal CAswhen planning an organization’s PKI, you should know that it is possible for aWindows Server 2003 root CA to trust an external root CA, but it is nearly impos-sible to get the external root CA to trust yours

The reason is that external CAs are established and highly visible, andtherefore easily verifiable to the outside world Your internal CA is most defi-nitely not To prove your identity to the external authority, you must jumpthrough a most rigorous set of hoops, and you must also justify the businessneed for such a relationship If you go to Microsoft’s home Web site at

www.microsoft.com and search for the words CA cross trust, you will find a white paper entitled Public Key Interoperability This is a good place to start

learning more about this complex topic

EXAM

70-293

OBJECTIVE

6.2.1

Root CAs

When you first set up an internal PKI, no CA exists.The first CA created is known as theroot CA, and it can be used to issue certificates to users or to other CAs As mentioned earlier, in a large organization there usually is a hierarchy where the root CA is not the onlycertification authority In this case, the sole purpose of the root CA is to issue certificates toother CAs to establish their authority

The question then becomes: who issues the root CA a certificate? The answer is that a

root CA issues its own certificate (this is called a self-signed certificate) Security is not

com-promised for two reasons First, you will only implement one root CA in your organizationand second, configuring a root CA requires administrative rights on the server.The root

CA should be kept highly secured because it has so much authority

Subordinate CAs

Any certification authority that is established after the root CA is a subordinate CA

Subordinate CAs gain their authority by requesting a certificate from either the root CA or

a higher-level subordinate CA After the subordinate CA receives the certificate, it can trol CA policies and/or issue certificates itself, depending on your PKI structure and poli-cies

con-TEST DAY TIP

Remember that if a root or subordinate CA becomes compromised (e.g., theserver’s hard drive is damaged), all CAs subordinate to it will lose their trust rela-tionship and therefore their authority Always keep current backups of your CAs.Worse still is the scenario in which a CA’s private key is obtained by anattacker If the CA in question is your root CA, your entire PKI will be compro-mised

How Microsoft Certificate Services Works

The Windows Server 2003 PKI does many things behind the scenes.Thanks in part to autoenrollment (discussed later in this chapter) and certificate stores (places where certificatesare kept after their creation), some PKI-enabled features such as EFS work with no userintervention at all Others, such as IPSec, require significantly less work than would berequired without an advanced operating system

Even though a majority of the PKI is handled by Windows Server 2003, it is stillinstructive to have an overview of how certificate services work

1 First, a system or user generates a public/private key pair and then a certificaterequest

2 The certificate request, which contains the public key and other identifying mation such as user name, is forwarded to a CA.

infor-3 The CA verifies the validity of the public key If it is verified, the CA issues thecertificate

4 After it is issued, the certificate is ready for use and is kept in the certificate store,which can reside in Active Directory Applications that require a certificate usethis central repository when necessary

In practice, it isn’t terribly difficult to implement certificate services, as the followingexercise shows Configuring the CA requires a bit more effort, as does planning the struc-ture and hierarchy of the PKI – especially if you are designing an enterprise-wide solution

We’ll cover these topics later in this chapter

E XERCISE 12.01

1 After logging on with administrative privileges, click Start | Control

Panel, and then click Add/Remove Programs.

2 Click Add/Remove Windows Components, and then check Certificate

Services This selects both sub-components of certificate services,

which are Certificate Services CA and Certificate Services Web

Enrollment Support If Web enrollment support is not checked, you will

not be able to complete Exercise 12.03

3 A warning dialog box appear telling you that after certificate serviceshave been installed you will not be able to change the machine’s

domain membership or change its computer name Click Yes to

con-tinue

4 You now must choose the type of CA to establish, as seen in Figure12.4 You have two decisions to make – that of root vs subordinateand enterprise vs standalone (discussed later in this chapter) For this

exercise, click Enterprise root CA and click Next If you checked the

Use custom settings to generate the key pair and CA certificate,

you would be prompted to choose a custom cryptographic serviceprovider (CSP), a hash algorithm, and a key length You could also elect

to use an existing key or to use an imported one

5 The next dialog box presented is the CA Identifying Information box.

See Figure 12.5 Enter a common name for the CA For this exercise,

type My Root CA The distinguished name suffix is provided by the

operating system and is used along with the common name you justtyped in to form the distinguished name Note that you can alsochange the default five-year validity period of the CA You can set thevalidity period as a number of days, weeks, months, or years Click

Next to continue.

6 After the key pair is generated, the Certificate Database Settings dialogbox appears As in Figure 12.6, you will notice that both the certificatedatabase and certificate database log textboxes are already filled with

default values You may elect to Store configuration information in a

Figure 12.4 Choosing the CA Type

Figure 12.5 Naming the CA

shared folder, but do not check it for purposes of this exercise Click Next to complete the installation After Windows Server 2003 has com-

pleted its work (you might be notified during this process that theInternet Information Service (IIS) will stop if you have IIS running on

this machine), click Finish During the configuration process, you might

be prompted to insert your Windows Server 2003 installation CD orenter the path to the installation files on the hard disk or on a networkshare You will also be notified that Active Server Pages (ASP) must be

enabled in IIS to provide Web enrollment services Click Yes to enable

ASP

Pay special attention to the warning given in step 3 in the above exercise Becausethe distinguished name of the CA is a part of the certificates it issues, renamingthe server or removing it from the domain is not allowed Windows Server 2003uses the X.500 standard for distinguished names

Implementing Certification Authorities

Planning a PKI structure that includes multiple CAs in a hierarchy with proper security can

be a test in patience and fortitude.The actual implementation, however, is relatively simple

In Exercise 12.01, you installed certificate services and chose to create an enterprise root

Figure 12.6 Selecting the Certificate Database Location

CA.That’s pretty much it for the implementation of a CA, but there is much more

involved in the configuration of process Before we talk about the differences betweenenterprise and stand-alone CAs, and the security concerns involved, we’ll go over the manyoptions you have control over in the following exercise

E XERCISE 12.02

In this exercise, we’ll explore the different properties you have control overwhen configuring a CA We won’t go over all the options now, but we willcover them all in this chapter

1 Click Start | Administrative Tools | Certification Authority (note that

certificate services must be installed before this step – see Exercise

12.01; otherwise, this choice will not appear in the Administrative

Tools menu).

2 In the left pane of the Certification Authority snap-in, click My Root

CA (or whichever CA name you have listed) and expand it As Figure

12.7 shows, this is where you can view revoked and issued certificates,pending and failed certificates, and certificate templates (discussedlater in this chapter)

3 Highlight My Root CA and right-click it Click Properties Figure 12.8 shows the General tab Here, all installed CA certificates are listed as well as the CSP and hash algorithms used Click View Certificate if you

want to see the certificate itself

Figure 12.7 The Certification Authority Snap-In

4 Click the Policy Module tab A policy module defines how the CA

han-dles incoming certificate requests Notice in Figure 12.9 that the

Windows default policy is listed The Select button is used to choose a

different policy module, usually a customized version Click the

Properties button (see Figure 12.10) The default setting tells the CA to

follow the settings in the certificate template if applicable and to matically issue the certificate otherwise The other setting tags all

auto-incoming requests to pending status, forcing the administrator to

man-ually approve or deny each certificate request Keep the default setting

and click OK to return to the CA property sheet.

Figure 12.9 Policy Module Tab of the CA Property Sheet

Figure 12.8 General Tab of the CA Property Sheet

5 Click the Exit Module tab Whereas a policy module defines how a CA

handles incoming certificate requests, an exit module defines what a

CA does with certificates that it issues Figure 12.11 shows that the

Windows default policy is listed In addition to the Add and Remove buttons, there is a Properties button Click the Properties button.

Figure 12.12 shows that the only setting is to allow certificates to bepublished to the file system if a certificate template dictates, which thedefault policy does not allow Again, keep the default setting and click

OK to return to the CA properties sheet Skip the Extensions tab for

now; we’ll discuss it when we talk about certificate revocations later inthe chapter

Figure 12.10 Request Handling Tab of the Default Policy Module

Figure 12.11 Exit Module Tab of the CA Property Sheet

6 Click the Storage tab Note that the default settings cannot be

changed because Active Directory is being used We’ll discuss moreabout the relationship between Active Directory and enterprise CAslater in this chapter

7 Click the Certificate Managers Restrictions tab The default setting

here tells the CA to not restrict certificate managers As an

adminis-trator, you can designate certificate managers by giving them the Issue and Manage Certificates permission By changing the default, you can

specifically restrict the users, groups, and computers over which a tificate manager has control

cer-8 Click the Auditing tab As seen in Figure 12.13, there are many events

that you can monitor – each concerned with a different aspect of

secu-rity Especially important are the Change CA configuration, Change

CA security settings, and Issue and manage certificate requests

events Skip the Recovery Agents tab; we’ll cover it during our sion of key archival and recovery

discus-Figure 12.12 Publication Settings Tab of the Default Exit Module

9 Click the Security tab The Security tab, shown in Figure 12.14,

enables you to grant or deny access to users over several key areas of

the CA Note that the Issue and Manage Certificates permission denotes a certificate manager, whereas the Manage CA permission gives authoritative access to the entire CA Click Cancel to return to the

CA snap-in

Figure 12.13 Auditing Tab of the CA Property Sheet

Figure 12.14 Security Tab of the CA Property Sheet

Analyzing Certificate Needs within the Organization

You’ve just concluded a tour of most of the properties associated with a CA, but knowing

what you can do does not mean that you know what you should do.To find out more about

what you should do, you need to analyze the certificate needs of your organization andthen move on to create an appropriate CA structure

According to Microsoft’s TechNet, the analysis of certificate needs springs primarilyfrom “the analysis of business requirements and the analysis of applications that benefit fromPKI-based security.” In other words, when designing a PKI/CA structure, you need tounderstand the different uses for certificates and whether your organization needs to usecertificates for each of these purposes Examples include SSL for a secure Web server, EFSfor encryption of files, and S/MIME for encryption of e-mail messages.The use ofS/MIME might dictate that your CA hierarchy has a trust relationship with external CAs,and the use of SSL might lead you to implement a stand-alone CA instead of an enterprise

CA.Thus, analyzing these needs before you implement your PKI can save you a lot of time

and trouble

Determining Appropriate CA Type(s)

For most administrators, the most significant factor in designing a CA structure is theamount of PKI-related traffic on the network If you run a small organization without anInternet presence, for example, a single-root CA that issues certificates directly to users willprobably fit the bill However, in a larger organization, a CA hierarchy is likely to be moreappropriate

The first choice when determining appropriate CA types for your PKI is how manysubordination levels to use One level, the root, is required.Two, three, and even four subor-dination levels are relatively common, but the three-tier model is the one most referencedand most-frequently used So how does the three-tier model work? We’ve discussed previ-ously the differences between a root CA and a subordinate CA, and that a root CA issuescertificates to the second-tier subordinates In the standard three-tier model, the root CAhas the job of issuing certificates to the second-tier.That’s all it really does Certainly it hasthe capability of doing more – it could even issue certificates to users However in a largecompany, the amount of traffic generated by even a few PKI-aware applications could easilyoverwhelm a single CA Also, if you shift the responsibility of issuing certificates to subordi-

nate CAs, you can take the root CA offline – meaning that you detach it from the network

entirely.This provides a very high level of security, because attackers have no way of getting

to the machine.When a subordinate CA requires a certificate from the root, you can eitherbriefly connect the root CA to the network and then remove it again, or you can literallyuse a floppy disk

The intermediate level of CAs, the one just below the root, has the responsibility forcontrolling certificate policy and issuing certificates to the bottom-level CAs.These

bottom-level CAs are the ones that actually issue certificates to users, machines, and cations.The question then becomes: why don’t the intermediate CAs just issue the usercertificates directly? The answer is that although they can, it just isn’t as scalable as thethree-tier model It is easier to add CAs to the hierarchy that are concerned only withissuing certificates and not involved with policies such as key length and CSP choice.After you have determined the hierarchical structure of your CAs, you will need todetermine which CAs are set up as enterprise CAs and which ones are set up as stand-alone CAs before implementing them.You may recall that in Exercise 12.01 you installedcertificate services and chose an enterprise root CA.The choice in your network willdepend on several different factors, such as your needed level of security Both enterpriseand stand-alone CAs have advantages and disadvantages.We’ll explore some of them in thefollowing sections.

appli-Enterprise CAs

An enterprise CA is tied into Active Directory (AD) and is required to use it In fact, acopy of its own CA certificate itself is stored in Active Directory Perhaps the biggest differ-ence between an enterprise CA and a stand-alone CA is that enterprise CAs use Kerberos

or NTLM authentication to validate users and computers before certificates are issued.Thisprovides additional security to the PKI because the validation process relies on the strength

of the Kerberos protocol and not a human administrator Enterprise CAs also use templates,which are described later in this chapter, and they can issue every type of certificate.There are also several downsides to an enterprise CA In comparison to a stand-alone

CA, enterprise CAs are more difficult to maintain and require a much more in-depthknowledge about Active Directory and authentication Also, because an enterprise CArequires Active Directory, it is nearly impossible to remove it from the network If you were

to do so, the Directory itself would quickly become outdated – making it difficult to chronize with the rest of the network when brought back online.This forces an enterprise

resyn-CA to remain attached to the network, leaving it vulnerable to attackers

Stand-Alone CAs

Stand-alone CAs do not require Active Directory (although they can use AD information if

it is available), and are usually used as either secure root CAs or as an issuer to such tions as stand-alone Web servers Stand-alone CAs are generally not suitable for enterprise-type applications Because certificate templates are not used on a stand-alone CA, a

applica-standalone is more basic and easier to maintain than an enterprise CA A stand-alone CAkeeps a copy of its CA certificate in a shared folder and if Active Directory is not used,users that need to request certificates need to know the location of the CA Finally, stand-alone servers can be secured by removing them from the network

The disadvantages to a stand-alone CA are that an administrator must manually approve

or deny every certificate request individually, a stand-alone CA cannot issue log-on cates, and templates cannot be used with a stand-alone CA, so a key recovery agent cannot

certifi-be established (we discuss the key recovery agent template certifi-below)

EXAM WARNING

A stand-alone CA does not need Active Directory as an enterprise CA does For testday, remember that without Active Directory, all certificate requests made to a

stand-alone CA are automatically tagged as pending This means that automatic

fulfillment is not available and an administrator must manually approve or deny

each incoming request Under Windows Server 2003, stand-alone CAs can be

con-figured to accept requests automatically, but that is not the default setting

Planning the CA Hierarchy

There is more than meets the eye when planning a CA hierarchy.We’ve already discussedchoices you will need to make between root and subordinate and between enterprise andstandalone.You will also need to consider possible cross-trust hierarchies and the establish-ment of the key recovery agent

Cross-Trust Hierarchies

For a PKI entity to use a certificate provided by a CA, the entity must trust that CA.Thistrust is established when the entity has a copy of the CA’s certificate located in its local cer-tificate store Using the public key contained in the certificate, the entity can verify theCA’s digital signature How, then, does the certificate get from the CA to the entity’s localstore? Unfortunately, there is not just one answer Group policies under Active Directory,preloaded certificates in Windows Server 2003, and downloads from the Windows UpdateWeb site are the most common ways

The chain of trust from an issuing CA all the way up to the root CA must be verified

by an entity requesting a certificate for the certificate to be accepted In a small, local work operation this is easy to accomplish However, when your organization must exchangedata with external parties, there needs to be a way to recognize and trust a third-party CA

net-as if it were a part of your local chain of trust.There are two ways to do this:

■ You can use a certificate trust list, or CTL

■ You can create a cross-trust hierarchy, which enables an external CA to be viewed

as a subordinate CA in your local trust chain

Using a CTL or a cross-trust hierarchy under previous versions of Windows presented acentral problem.When an external CA gained trust status, every certificate issued by it andall of its subordinate CAs were automatically trusted New to Windows Server 2003 is a

feature called qualified subordination Qualified subordination enables you to specify how

many subordinates can be trusted, and it also enables you to specify the purposes of cates that can be accepted from the external CAs

certifi-Key Recovery Agent

As when a person has locked his or her keys inside the car, lost encryption keys in a PKIcan be troublesome Luckily,Windows Server 2003 provides a locksmith of sorts (called aRegistration Authority, or RA) that earlier versions of Windows did not have A key

recovery solution, however, is not easy to implement and requires several steps.The basicmethod follows:

1 Create an account to be used for key recovery

2 Create a new template to issue to that account

3 Request a key recovery certificate from the CA

4 Have the CA issue the certificate

5 Configure the CA to archive certificates by using the Recovery Agents tab of

the CA property sheet (shown in Figure 12.15)

6 Create an archive template for the CA

Each of these steps requires many substeps, but can be well worth the time and effort It

is worth noting again that key recovery is not possible on a stand-alone CA, because a dalone cannot use templates It is also worth noting that only encryption keys can berecovered—private keys used for digital signatures cannot be

stan-TEST DAY TIP

Key archival and recovery rely on a version 2 template, which is only available inWindows Server 2003 Enterprise or datacenter Editions If you’re using Windows

Server 2003 Standard Edition, the Recovery Agents tab won’t even be visible

because the Standard Edition only supports version 1 templates

Figure 12.15 Recovery Agents Tab of the CA Property Sheet

Planning CA Security

The two fundamentals of CA security are to guard the CA hierarchy from attackers and toconfigure the hierarchy for disaster recovery.The first of these requires a good deal of plan-ning For starters, you need to know the physical and logical location of the root CA Forextreme security, the CA can be physically located in a locked closet with a lights-out con-figuration (“lights out” refers to a server that has neither a monitor nor a keyboard

attached) In most cases, however, lights out would be appropriate only after the entire PKI

is set up Remember that you will need to use the root CA every time a subordinate CAneeds to request a certificate

As we have already discussed, configuring the root CA as a standalone is probably themost important measure you can take to prevent accidental or intentional tampering.With

no network connectivity, attacks become virtually impossible, since a user would have tolog on while sitting at the physical location of the server Other security considerations arereally more a function of general server security—things such as requiring complex pass-words and implementing file encryption

In guarding the hierarchy, you cannot solely concentrate on the root CA After all, if asubordinate CA is tampered with, every entity below it in the PKI hierarchy becomes com-promised Most subordinate CAs are attached to the network.This obviously increases theirvulnerability Beyond securing the network itself (by using IPSec and group policies, forexample), there is another part of a standard PKI that helps maintain CA integrity.That part

is certificate revocation, which we will go into in greater detail shortly Certificate revocation

enables an administrator to warn PKI clients about certificates that might not be authentic

or that might have been issued by a rogue CA

Disaster recovery applies to every CA in the hierarchy, but especially at the root.Thatbeing said, the importance of performing proper backups cannot be overstated A periodicfull backup (for example, weekly) with more frequent incremental backups (for example,daily) is recommended For your organization, configuring the hierarchy for a disaster mayalso include installing additional CAs that are responsible for more narrow responsibilities

For example, you might want one CA to issue smart card certificates and nothing more

That way, if the CA is lost, it is not as difficult to replace Finally, remember WindowsServer 2003’s capability to archive and recover keys

TEST DAY TIP

As mentioned above, the first concern of PKI security is keeping the root CA secure.Because Microsoft recommends that you configure the root CA as offline and stan-dalone, the machine should not be a domain controller Domain controllers need

to be available for replication and cannot be offline a majority of the time

Certificate Revocation

A CA’s primary duty is to issue certificates, either to subordinate CAs or to PKI clients.However, each CA also has the capability to revoke those certificates when necessary.The

tool that the CA uses for revocation is the certificate revocation list, or CRL.The act of

revoking a certificate is simple: from the Certification Authority console, simply light the Issued Certificates container, right-click the certificate and choose All |

high-Revoke Certificate The certificate will then be located in the Revoked Certificates

container

When a PKI entity verifies a certificate’s validity, that entity checks the CRL beforegiving approval.The question is: how does a client know where to check for the list? Theanswer is the CDPs, or CRL Distribution Points CDPs are locations on the network towhich a CA publishes the CRL In the case of an enterprise CA under Windows Server

2003, Active Directory holds the CRL and for a standalone, the CRL is located in the

certsrv\certenroll directory Each certificate has a location listed for the CDP, when the client

views the certificate, it then understands where to go for the latest CRL Figure 12.16shows the Extensions tab of the CA property sheet, where you can modify the location ofthe CDP

For a CA to publish a CRL, use the Certification Authority console to right-click the Revoked Certificates container and choose All Tasks | Publish From there, you

can choose to publish either a complete CRL or a Delta CRL

Figure 12.16 Extensions Tab of the CA Property Sheet

Delta CRLs are new to Windows Server 2003 They enable a CA to publish onlychanges made to the original CRL Since they are much smaller than the entire CRL,network traffic is minimized

Whether you select a New CRL or a Delta CRL, you are next prompted to enter apublication interval (the most frequent intervals chosen are one week for full CRLs andone day for Delta CRLs) Clients cache the CRL for this period of time and then checkthe CDP again when the period expires If an updated CDP does not exist or cannot belocated, the client automatically assumes that all certificates are invalid

Planning Enrollment and Distribution of Certificates

For a PKI client to use a certificate, two basic things must happen First, a CA has to makethe certificate available and Second, the client has to request the certificate Only after thesefirst steps can the CA issue the certificate or deny the request Making the certificate avail-able is done through the use of certificate templates and is a topic that we discuss in detailsection As for the client, there are three methods of requesting certificates – all three ofwhich are essential to a thorough understanding of PKI:

■ Auto-enrollment

■ The Certificates snap-in

■ The Certificates Web page

We will discuss each in more detail in the section titled Certificate Requests.

Certificate Templates

A certificate template defines the policies and rules that a CA uses when a request for a

cer-tificate is received Many built-in templates can be viewed using the Cercer-tificate

Templatessnap-in (see Figure 12.17).The snap-in can be run by right-clicking the

Certificate Templates container located in the Certification Authority console (described in Exercise 12.02) and clicking Manage.You can use one of the built-in tem-

plates or create your own

When creating your own template, you have multiple options that will guide the CA inhow to handle incoming requests.The first step in the creation process is to duplicate an

existing template.You do this by using the Certificate Templates snap-in, then

right-clicking the template you wish to copy and selecting Duplicate Template On the General

tab that appears by default (seen in Figure 12.18), there are time-sensitive options such asvalidity period and renewal period Note the default validity period of one year and thedefault renewal period of six weeks.There are also general options such as the template dis-play name and a check box for publishing the certificate in Active Directory

Figure 12.17 Certificate Templates Snap-In

Figure 12.18 General Tab of the New Template Property Sheet

The Request Handling tab, shown in Figure 12.19, has options including minimum

key size and certificate purpose.The certificate purpose can be encryption, signature, or nature and encryption.There is also an option to allow the export of the private key

sig-Finally, you can instruct the CA how to act when the subject’s request is received andwhich CSPs to use

The Subject Name tab seen in Figure 12.20 gives you the choice of obtaining subject

name information from Active Directory or from the certificate request itself In the lattercase, auto-enrollment (which we’ll discuss later in the chapter) is not available

Figure 12.19 Request Handling Tab of the New Template Property Sheet

Figure 12.20 Subject Name Tab of the New Template Property Sheet