Case Study Lucerne Publishing

Lucerne Publishing is a global publishing company with a two-tier CA hierarchy. Mike Danseglio manages the development team at Lucerne Publishing. Over the past year, Lucerne Publishing has been hit by several macro viruses. The primary cause of the virus outbreaks is users opening unauthorized macros in Microsoft Office documents. To restrict the macros that can be executed, you decide to start digitally signing all VBA projects created by your development team. In addition, Internet Explorer...

Verifying the Signature

Once a digital signature is applied to an application, a user who loads the application will want to validate the application's signature. In Internet Explorer, when you select to install an application, a Security Warning dialog box appears indicating that the installation control is digitally signed. (See Figure 21-4.) Figure 21-4 Verifying the signature on an application in Internet Explorer Figure 21-4 Verifying the signature on an application in Internet Explorer In this case, the...

Policy CA

A special category of intermediate CA is a policy CA. A policy CA describes the pol icies and procedures an organization implements to validate certificate-holder iden tity and secure the CAs in the CA hierarchy. A policy CA only issues certificates to Note If a self-signed certificate is not included in the trusted root store, it is considered a nontrusted root CA. If revocation checking is enabled in an application, a certificate that is chained to a nontrusted root CA is considered...

Migrating from Previous Exchange Server Versions

Previous versions of Microsoft Exchange Server implemented the Key Manage ment Service (KMS) to provide recovery of encryption private keys associated with S MIME. In these Microsoft Exchange environments, the KMS requested the S MIME encryption certificates on behalf of the e-mail user, allowing the KMS to archive the e-mail encryption certificate's private key. With the Windows Server 2003 enterprise CA, it is possible to have all encryp tion certificates archived in the same location, rather...

Application Policies

Applications use application policy OIDs to determine whether a certificate can be used for a given purpose, such as authenticating a user, encrypting data, or signing a device driver. When an application receives signed information from a user, it reviews the certificate associated with the private key and verifies that the certificate contains the required application policy OID. Likewise, if the application queries the user's certificate store for an application to use for signing, the...

Defining Key Recovery Agents

To define a key recovery agent, you must ensure that a Key Recovery Agent certificate is issued to the designated user. The default Key Recovery Agent certificate template requires that certificate issuance be validated by a certificate manager. The process described in the next section assumes that this requirement does not change. Note The holder of the private key associated with the Key Recovery Agent certificate is, ultimately, the key recovery agent. In that respect, the subject name of...

Installing and Exporting the Key Recovery Agent Certificates

Once a certificate is issued, the Key Recovery Agent certificate requestor can complete the installation by performing the following process 1. Open Internet Explorer at the same computer where the original request was submitted. 2. In Internet Explorer, open the URL http CertSrvDNS certsrv (where CertSrvDNS is the Domain Name System name of the certification authority issuing the Key Recovery Agent certificates). 3. On the Welcome page, click the View the Status of a Pending Certificate...

Version

Released in 1996, the X.509 version 3 format introduced extensions to address the problems associated with matching the Issuer Unique ID with the Subject Unique ID, as well as other certificate-validation issues. An X.509 version 3 certificate can contain one or more certificate extensions. (See Figure 2-3.) Note In addition to introducing the Issuer Unique ID and Subject Unique ID fields, the X.509 version 2 certificate's Version field changed to a value of 2 to indicate the version number....

How Code Signing Works

Code signing adds a digital signature to an executable file (.exe), a dynamic link library file (.dll), an Active X control, a cabinet file (.cab), a java archive file (.jar), a Java applet, or a script. The digital signature protects a user who accesses the software in the following two ways The digital signature identifies the publisher of the software, allowing you to make an informed choice whether to allow or prevent software installation. The digital signature allows you to determine...

Pointto Point Tunneling Protocol PPTP

Point-to-Point Tunneling Protocol (PPTP) encapsulates the Point-to-Point Protocol (PPP) datagrams in a modified version of Generic Routing Encapsulation (GRE). (See Figure 19-1.) In addition to encapsulating the PPP data within a GRE header, PPTP also main tains a TCP connection between the client and the server where the client connects to TCP port 1723 at the VPN server for management of the tunnel. To protect the data transmitted in the PPTP packets, Microsoft Point-to-Point Encryption...

Dedicated HSMs on Offline CAs and Network Attached on Online CAs

If an organization's security policy will not allow offline CAs to be connected to either the corporate network or a private network, you can deploy a combination of dedicated and network-attached HSMs. (See Figure 7-9.) When you combine dedicated and network-attached HSMs, the offline CAs implement dedicated HSMs and are never attached to any form of network. The online CAs are connected to a network-attached HSM on a private network and are dual-homed, which allows connectivity to the...

Chapter Encrypting File System

Does the default EFS Recovery Agent certificate template meet the design requirements for the Lucerne Publishing EFS project Yes. There are no specific design requirements for the enrollment of the EFS Recovery Agent certificate template. By assigning permissions so that only members of the Internal Audit department have Read and Enroll permissions, the enrollment is restricted to approved users. 2. Does the default Key Recovery Agent certificate template meet the design requirements for the...

Other Backup Methods

Rather than performing System State or manual backups, some organizations use alternative methods for disaster recovery. These methods binary backups and HSM backups often depend on the role a CA plays in the CA hierarchy and the methods used to protect the CA's key pair. For offline CAs, some organizations choose to create binary images of the computers. This is done by using disk-imaging software such as Norton Ghost or Symantec Partition Magic. These software packages make a binary-level...

Case Study Questions

Does the default EFS Recovery Agent certificate template meet the design requirements for the Lucerne Publishing EFS project 2. Does the default Key Recovery Agent certificate template meet the design requirements for the Lucerne Publishing EFS project 3. Do the design requirements allow the EFS Recovery Agent and Key Recovery Agent certificate templates to be published only at the Lucerne Publishing Americas CA 4. Does Andy's proposed solution meet the design requirements for designation of...

Creating the Cross Certification Authority Request File

Copy the partner's CA certificate and Policy.inf file to a common folder. 2. At a command prompt, type certreq policy to create the certificate request file that enforces all the qualified subordination conditions defined in the Policy.inf file. 3. In the Open Request File dialog box, in the Files of Type box, select Certificate Files C.cer, *.crt, *.der), select the target CA's certificate, and click Open. 4. In the Open Inf File dialog box, select the configured Policy.inf file and click...

Determining Publication Points

The final technical requirement that must be met in your hierarchy design is determining publication points for both CRLs and CA certificates. The certificate-chaining engine can use the URLs stored in the CRL Distribution Point (CDP) and Authority Information Access (AIA) extensions to determine a certificate's revocation status. At each CA in the hierarchy, you must define publication points for certificates issued by that CA. These publication points allow access to that CA's certificate and...

Chapter Implementing SSL Encryption for Web Servers

Which CA should issue the Web Server certificate for the customer billing system Web site The customer billing system requires a Web Server certificate from a commercial CA so that there is greater trust in the customer billing system Web site. By using a commercial CA, more customers trust the root CA certificate of the Web Server certificate's certificate chain. 2. Which CA should issue the Web Server certificate for the employee benefits Web site The Web Server certificates for the employee...

Info

Tip If the hardware vendor is not available in the listing, choose the standard RADIUS option. Shared Secret A password that identifies the valid WAP. Confirm shared secret Retype the password for verification. Warning Do not enable the Request Must Contain the Message Authenti-cator attribute. 6. Repeat this process for every WAP that uses the IAS server for 802.1x authenti cation. Define a Wireless Computer Remote Access Policy Once you designate all RADIUS clients, you must define a remote...

One Application Two Recovery Methods

With the introduction of Windows Server 2003 PKI, EFS now allows two methods to recover an EFS-encrypted file when a user no longer has access to his or her EFS-encryption private key Data recovery. An EFS Recovery Agent disables EFS encryption. Once the file is decrypted, the user can open the plaintext file and then re-encrypt the file using a newly issued certificate with the Encrypting File System OID. Key recovery. The user's original certificate and private key are recovered from the CA...

Post Installation Configuration

Once the installation of Certificate Services is complete, you should run a post-installation script to ensure that the correct settings are defined for the enterprise root CA. You can use the following script to meet the objectives defined earlier in this section and to apply the default CRL and AIA publication points certutil -setreg ca DSConfigDN Define CRL Publication Intervals certutil -setreg CA CRLPeriodUnits 2 certutil -setreg CA CRLPeriod Days certutil -setreg CA CRLDeltaPeriodUnits 12...

Data Recovery

Data recovery allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. By default, where the private key associated with the EFS Recovery Agent certificate exists depends on the domain membership of a computer. If the computer is a member of A domain The EFS recovery agent's certificate and private key are stored in the Administrator's profile of the first domain controller in a domain. When the first domain controller is promoted as a domain controller for the...

Asymmetric Encryption

Asymmetric encryption increases the security of the encryption process by utilizing two separate but mathematically related keys known as a public key and a private key. The encryption process is more secure because the private key is possessed only by the user or computer that generates the key pair. The public key can be distributed to any person who wishes to send encrypted data to the private key holder. Asymmetric encryption's use of two keys and the complexity of the asymmetric encryption...

Dedicated HSMs on Each CA

The most common deployment method for HSMs is to implement a dedicated HSM on each CA in the CA hierarchy. (See Figure 7-6.) The most common deployment method for HSMs is to implement a dedicated HSM on each CA in the CA hierarchy. (See Figure 7-6.) Figure 7-6 Implementing dedicated HSMs at each CA in the CA hierarchy Figure 7-6 Implementing dedicated HSMs at each CA in the CA hierarchy Note This is the most common deployment method only because network-attached HSMs are a recent innovation...

Initial Smart Card

In the case of smart cards, it is recommended to create a custom version 2 certificate template based on either the default Smart Card Login or Smart Card User version 1 certificate templates. The version 2 certificate templates give you greater flexibility in the configuration of the certificate contents. Table 15-2 lists the recommended modifications to the version 2 certificate template. Table 15-2 Custom Initial Smart Card Certificate Template Create a custom Template Display Name and...

Identifying Certificate Recipients

Once you have determined what PKI-enabled applications your organization is deploying, you must decide which certificates are required for each application. Typically, certificates are deployed to the following subjects Users. A digital certificate uniquely identifies a user to a PKI-enabled application. A user can be assigned a single certificate that enables all applications or can receive application-specific certificates, such as an EFS encryption certificate that can be used for one...

Remote EFS Encryption Using WebDAV

An alternative to allowing EFS encryption on file servers by using CIFS is to implement WebDAV, or Web folders, at the remote file server. Rather than connecting to the file server on TCP port 445 (or TCP port 139 for the older SMB protocol), the server allows connections through the Hypertext Transmission Protocol (HTTP) port, TCP port 80 or TCP port 443 if Secure Socket Layers (SSL) is implemented. The benefit of using WebDAV is that file encryption takes place on the local computer rather...

Creating a CAPolicyinf File

Even though you are deploying a single CA for the network, it is still recommended that you create a CAPolicy.inf file. The reason for this is to ensure that the configuration settings, which are defined only in the CAPolicy.inf file, are applied to the enterprise root CA. The CAPolicy.inf file for Margie's Travel makes the following assumptions The root CA uses a key length of 2,048 bits. The validity period of the root CA certificate is 10 years. Base CRLs are published every two days. Delta...

The Key Recovery Process

When a user loses access to his or her encryption private key because of any of the reasons given in this chapter, the key recovery process proceeds as in the following steps 1. A certificate manager for the CA that issued the certificate determines the certificate's serial number, which uniquely identifies an issued certificate A certificate manager searches the issuing CA and finds the certificate and private key in the database. 2. The certificate manager extracts the encrypted private key...

Chapter Securing a CA Heirarchy

If you were to script the configuration of auditing settings for the offline CAs, what command would you include in the script to meet the auditing requirements 2. What command is required to meet the audit setting requirements for the online CAs 3. Can you meet the security requirements for the CA hierarchy by implementing either a software-based CSP or a smart card CSP Why or why not No to both. The security policies of the organization require that all CA private key material is protected...

Enable Foreign Certificate Import at the Enterprise CA

You must enable foreign certificate import at the enterprise CA if you are importing certificates from the KMS database that were not issued by that specific enterprise CA. Foreign certificate import is required if the certificates are X.509 version 1 certif icates generated by the KMS or if the KMS service requested the certificates on behalf of a user from another Windows CA. Note The KMS service in Exchange 5.5 and Exchange 2000 could be configured to request certificates from a Windows CA a...

Installing Certificate Services

Once the CAPolicy.inf file and IIS are in place, you can install Certificate Services. Because the issuing CA's certificate request is submitted to the policy CA, the issuance of the subordinate CA certificate occurs at the policy CA. The following assumptions are made about the issuing CA computer It uses the naming scheme defined in Figure 6-1. It has two mirrored partitions and a RAID 5 array drive C for the operating system drive D for the CA log files and drive E, a RAID 5 array, for the...

Combining Oneto One and Manyto One Mappings

If you define both one-to-one and many-to-one mappings, a one-to-one mapping takes precedence. This allows you to define one-to-one mappings for specific users you want to track when they connect to your Web site, yet grants universal access to other users whose certificate matches a many-to-one mapping definition. For example, if you define a one-to-one mapping for Andy Ruth (CN Andy Ruth,OU Employees,DC fabrikam,DC com) and a many-to-one mapping for anyone with a certificate issued by the CA...

Creating the CAPolicyinf File

By default, the CAPolicy.inf file does not exist when you install Microsoft Windows Server 2003. You must manually create the file in the Windows operating system folder ( windir folder). When you install Certificate Services, the operating system applies any settings defined in the CAPolicy.inf file. Note A CPS is considered to be effective for the CA in which the CPS is defined and for all subordinate CAs. Warning Be sure the file is named CAPolicy.inf and is stored in the windir folder. It...

Guidelines for Qualified Subordination Conditions

When planning qualified subordination conditions in either a Policy.inf or CAPol-icy.inf file, follow these guidelines Define only the required conditions. If you do not see a need for restricting certificate policies, do not define them. Exclude your namespace in all name constraints. By excluding your namespace in the Cross Certification Authority certificate, you prevent the partner organization from issuing unauthorized certificates representing your users, computers, or network devices....

Choosing Among Automatic Enrollment Methods

Autoenrollment lowers the cost of a PKI by reducing the time and effort required to deploy certificates. Table 12-2 shows the automatic enrollment methods available for common deployment scenarios. Table 12-2 Automatic Enrollment Methods Automatic deployment of certificates to computers Automatic deployment of certificates to users Automatic renewal of expired certificates V1 template Yes V2 template No V1 template No V2 template No V1 template Yes V2 template No V1 template No V2 template Yes...

Publishing an Updated CRL

Once all of the configuration changes are made to a CA, including the definition of CDP and AIA extensions, you must restart Certificate Services to enable the changes. Because the CDP extension allows you to modify the CRL location, it is advisable to copy the CRL to a floppy disk when configuring offline CAs. The following combination of commands enables the restart of Certificate Services, publishes an updated CRL, and copies the updated CRL to the floppy drive. net stop certsvc & net...

Microsoft Exchange Modifications

As mentioned, Exchange Server 2000 defines three non-RFC-compliant attributes for the inetOrgPerson object. The modifications shown in Table 4-1 prevent mangling of the LDAP display names for these attributes. If you do not modify these attributes before you apply the Windows Server 2003 schema update, the LDAP display name will be modified. For example, the LDAP display name for the MS-Exch-Assistant-Name attribute will change from Secretary to something similar to The method for protecting...

Single Tier CA Hierarchy

Some organizations require only basic public key infrastructure (PKI) services. Typically, these are organizations with fewer than 300 user accounts in the directory service. Rather than deploying multiple CAs, a single CA is installed as an enterprise root CA. The enterprise root CA is not removed from the network. Instead, the computer is a member of the domain and is always available to issue certificates to requesting computers, users, services, or networking devices. A single-tier CA...

Chapter Virtual Private Networking

What authentication protocol must be enforced for VPN communications to meet the initial authentication requirements MS-CHAPv2 must be enforced for the initial authentication requirements. MS-CHAPv2 provides the ability to type the user name and password for authentication and enforce mutual authentication between the VPN user and the RADIUS server. 2. What certificates are required for the initial VPN solution Provide your answers in the following table VPN User No certificates required VPN...

Renewing a Smart Card

If your organization's security policy requires the same subject validation process for initial smart card enrollment and renewal, you can use the custom certificate template just described. When a smart card certificate is expiring, users can return to the enrollment agent, who can re-enroll on their behalf, providing them with a replacement certificate. If your company uses Windows XP computers, there is an alternative that takes advantage of autoenrollment and the ability to sign a...

Enabling Auditing at the CA

You can enable auditing on a CA in Windows Server 2003 to provide an audit log for all Certificate Services management tasks. To enable auditing, you must ensure that both success and failure auditing are applied to either the Local Security Policy of an offline CA or a Group Policy object (GPO) applied to the organizational unit (OU) containing the CA's computer account for an online CA. All Certificate Services auditing is reported to the security log in Event Viewer. The following auditing...

Sample CAPolicyinf Contents

You can implement defined settings when you create a CAPolicy.inf file, depending on which CA in the CA hierarchy you apply the file to. A template for the CAPolicy.inf file follows PolicyStatementExtension Policies LegalPolicy Critical 0 Notice Legal policy statement text. URL AuthoritylnformationAccess Empty true URL http 1 Public My CA.crt URL ftp ftp.example.com Public MyCA.crt URL file 1 Public My CA.crt Critical false URL http 1 Public My CA.crl URL ftp 1 Public MyCA.crl URL file 1 Public...

Types of CRLs

The Windows Server 2003 public key infrastructure (PKI) supports two different but related types of CRLs base CRLs and delta CRLs. A base CRL contains the serial numbers of certificates revoked by the CA that are signed with the CA's private key. If you renew a CA's certificate with a new key pair, the Windows Server 2003 CA maintains two separate CRLs one for each key pair maintained by the CA. Base CRLs are recognized by all versions of the Windows operating system. A delta CRL contains only...

Import the Exchange KMS Database into Enterprise CA Database

Once the export file or export files are copied to the file system of the target enter prise CA, you can import the export file(s) into the enterprise CA database. Use the following procedure to import the certificates and private keys from the KMS export file(s). 2. Make the folder that contains the export file(s) the current directory. 3. At the command prompt, type certutil.exe -f -importkms ExportFile for each ExportFile in the current directory. 4. Ensure that the output of the certutil...

Certificate Enrollment Methods

Windows Server 2003 Certificate Services provide several methods for enabling certificate enrollment. The methods range from manual methods that are initiated by a user performing the certificate request to automatic methods where the certificate request is initiated by Group Policy or a login script. The available certificate enrollment methods include Certificate Services Web Enrollment pages. These Web pages allow a user to request both user and computer certificates from a Web browser....

Case Study Margies Travel

You manage the network for Margie's Travel, a travel agency in Seattle. The network implements a single enterprise root CA for its PKI, as shown in Figure 20-3. Figure 20-3 The Margie's Travel CA hierarchy Figure 20-3 The Margie's Travel CA hierarchy Margie's Travel has changed locations each year as the business has expanded. Due to the high costs involved in rewiring the new office each time Margie's Travel changes locations, you are considering implementing wireless networking to reduce the...

Implementing the Policyinf File

The Policy.inf file defines the qualified subordination conditions in a Cross Certification Authority certificate request. The conditions only include the conditions required for establishing a relationship between your CA hierarchy and the partner's CA hierarchy. Does not exist by default. The Policy.inf file must be created and defined manually. Can exist in any folder on the network. Unlike CAPolicy.inf, the Policy.inf file must be accessible to the person generating the Cross Certification...

Implementing Qualified Subordination

This section will describe the steps involved in cross certifying your organization's CA hierarchy with a partner's CA hierarchy. The first step is to create a Qualified Subordination Signing certificate template. By default, there is no certificate template that meets the requirements for qualified subordination requests, so a custom version 2 certificate template must be created. The certificate template must include the Qualified Subordination application policy OID...

Ras An Ias Server Certificate Best Practice

Allow only MS-CHAPv2 or EAP TLS authentication for remote access clients. Only MS-CHAPv2 and EAP TLS allow mutual authentication between VPN client and authentication server. In addition, MS-CHAPv2 and EAP TLS provide the strongest protection for a user's credential information. Allow only strong encryption for remote access clients. Ensure that the remote access policy enforces the strongest form of encryption to ensure that connections use 128 bit MPPE for PPTP connections and 3DES for L2TP...

Creating a Certificate Template

The first step in defining a certificate mapping in Active Directory is to design a certificate template that allows a user to authenticate in a Web browser. The user certificate must meet the following requirements The certificate must be a signing certificate that implements the Digital Signature key usage. The certificate must include the Client Authentication (1.3.6.1.5.5.7.3.2) object identifier (OID). Note The default User Signature Only meets these requirements without providing...

Additional Information

Microsoft Official Curriculum, Course 2821 Designing and Managing a Windows Public Key Infrastructure 2821afinal.asp) Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure Troubleshooting Certificate Status and Revocation (http www.microsoft.com Windows Server 2003 Resource Kit Tools Knowledge Base Article 272555 Certificate Services in a Non-Active Directory Environment Installation and Issuing Certificates Knowledge Base Article 246242 Information About...

Chapter Creating Trust Between Organizations

Which CA in the production hierarchy must be issued the Cross Certification Authority certificate to meet the design requirements It must be issued to The Phone Company South CA. If you issue the Cross Certification Authority certificate to The Phone Company Policy CA, certificates could be trusted from The Phone Company Policy CA and its two subordinate CAs The Phone Company North CA and The Phone Company South CA, subject to any defined basic constraints. 2. What CA must be used to issue the...

Preventing Incorrect Modification of the LDAP Display Names

It is possible to prevent incorrect modification of the attributes by running a script that modifies the LDAP display names prior to the application of Windows Server 2003 schema modifications. Use the following process to modify the Exchange Server 2000 attributes 1. Identify the schema operations master for the forest. You can do this by performing the following steps a. Install the Adminpak.msi on a Windows XP or Windows Server 2003 domain member computer from the i386 folder of the Windows...

CAPolicyinf File Sections

Within the CAPolicy.inf file, there are several predefined sections, each of which defines specific settings for Certificate Services. These sections and related decisions regarding their contents are outlined here, as well as whether the section applies to root CA installations, subordinate CA installations, or to both root and subordinate CA installations. The Version section defines that the .inf file uses the Windows NT format. This section must exist for both root and subordinate CA...

Chapter Implementing a CA Heirarchy

How do you define the key length of 2,048 bits for the root CA during installation of the root CA The key length must be entered in the Certificate Services Installation Wizard. 2. How do you ensure that the key length will remain 2,048 bits when the root CA's certificate is renewed In the CAPolicy.inf file, in the certsrv_server section, you must add the entry renewalkeylength 2048. 3. What entries are required in the CAPolicy.inf file to define the required base CRL and delta CRL publication...

Chapter Deploying Certificates

Assume that a custom version 2 certificate template is created for code signing that requires CA certificate manager approval. What enrollment method should you use for deploying the custom code signing certificates to the three members of the Quality Assurance team The Certificate Services Web Enrollment site method is recommended because the Web site implements cookies to allow the user to return and complete a pending certificate request. 2. Assume that a custom version 2 certificate...

Publishing to Active Directory

The certificate object is published automatically into the CN AIA,CN Public Key container as a CrossCA object. The certificate is never distributed to the target CA in the other organization's CA hierarchy. Instead, it is downloaded via autoenrollment to all domain member computers so that the Cross Certification Authority certificate can be used to build certificate chains between the two CA hierarchies. This allows recognition of the partner CA's certificates that meet the qualified...

Enabling ActiveX Controls

The Certificate Services Web Enrollment site must be defined as a Local intranet site for all computers in the forest. This allows the automatic passing of authentication credentials to the CA by using Windows Integrated authentication. In addition, the download settings for ActiveX controls must be modified to allow the activation and use of required ActiveX controls. Note For smart card deployment, the ActiveX control settings are only required at the smart card enrollment station. But, if...

Chapter Primer to PKI

What version is the certificate The certificate is an X.509 version 3 certificate. You can verify this by viewing the Version field on the Details tab. 2. What is the name of the issuing CA The name of the issuing CA is CN adatumCA,DC adatum,DC msft. You can verify this by viewing the Issuer field on the Details tab. 3. What is the subject name of the certificate The subject name of the certificate is CN SCUser1, OU Module09, OU Labs, DC adatum, DC msft. You can verify this by viewing the...

Defining Application Policies

When you issue a Cross Certification Authority certificate, you can configure a Policy.inf file to specify which application policy OIDs are permitted in partner-issued certificates. Likewise, you can define a CAPolicy.inf file to specify which application policy OIDs are permitted in root certification authority certificates. To configure application policies in a Policy.inf or CAPolicy.inf file, create the following sections Policies AppCodeSign, AppCTL, AppClientAuth CRITICAL FALSE OID...

Contents

1 Basics of C ryptography 3 Encryption Algorithms and Data Symmetric Asymmetric Combining Symmetric and Asymmetric Encryption 10 Digital Signing of The Hash Hash Combining Asymmetric Signing and Hash Algorithms 13 Case Study Microsoft Applications and Their Encryption Algorithms 14 Opening the EFS White Case Study Additional X.509 Version X.509 Version X.509 Version Certification Root Intermediate Policy Issuing Certificate Revocation Types of What Uo ynn think of thic hnnk Microsoft is...

Chapter Role Separation

The backup software implemented by Tailspin Toys uses a centralized backup services account. When reviewing the event logs, the backup operator notices that the backup fails every night on the two issuing CAs. On inspecting the event logs further, the backup software reports that the failed backup item is the System State backup. What is the likely cause of the error The backup services account is assigned two or more of the Common Criteria roles. Typically, the issue is that the account is...

Resource Kit Support Policy

Microsoft does not support the tools and scripts supplied on the Microsoft Windows Server 2003 PKI and Certificate Security companion CD. Microsoft does not guarantee the performance of the tools or scripting examples, or any bug fixes for these tools and scripts. However, Microsoft Press provides a way for customers who purchase this book to report any problems with the software and receive feedback on such issues just send e-mail to mspinput microsoft.com. This e-mail address is only for...

Enabling Outlook

Both Outlook 2002 and Outlook 2003 automatically use available e-mail signing and e-mail encryption certificates if the certificates exist in the user's profile. You can verify the existence of the certificates, and define the encryption and signing algorithms using the following procedure 2. On the Tools menu, click Options. 3. In the Options dialog box, on the Security tab, click Settings. 4. In the Change Security Settings dialog box see Figure 18-4 , ensure that the following settings are...

Export the Exchange KMS Database

Once you have enabled the enterprise CA for foreign certificate import, you can start the export process Warning The export of data from the KMS database is a destructive process that removes the certificate and private keys from the KMS database. To protect against accidental loss of data, ensure that you perform and verify a backup of the KMS server before starting the export process. 1. If the KMS is configured to request certificates from an existing enterprise or standalone CA, stop...

Smart Cards and Kerberos

Smart cards allow Kerberos authentication through Public Key Initialization PKINIT extensions to the Kerberos protocol. PKINIT extensions allow a public private key pair to be used to authenticate users when they log on to the network. The Kerberos authentication process is comprised of three related message exchanges 1. Authentication Service AS Exchange. This initial message exchange is used by a domain controller to provide a user with a logon session key and a Kerberos ticket-granting...

Chapter Code Signing

Does the Code Signing certificate template meet the design requirements What must you do to meet the design requirements No. The Code Signing certificate template has a one-year validity period and does not implement any issuance requirements. You must create a custom version 2 certificate template based on the Code Signing certificate template. In the following table, define the settings on the General tab to meet the design requirements for your custom Code Signing certificate template....

Chapter Designing Certificate Templates

What MMC console do you use to perform certificate template management The Certificate Templates certtmpl.msc console. 2. Does the default Code Signing certificate template meet the design requirements No. The Code Signing certificate template has a one-year validity period and does not implement any issuance requirements. 3. Can you modify the default Code Signing certificate template If not, what would you do No. The Code Signing certificate template is a version 1 certificate template....

Publishing Certificates at the Issuing CA

If you have not published the root and policy CA certificates into Active Directory or to the HTTP URLs included in the certificates issued by the root and policy CAs, you can manually publish the certificates into the issuing CA's local machine store. This process is similar to the one used to publish the root CA certificate and CRL at the policy CA. The difference is that both root and intermediate CA certificates are published at an issuing CA. The following script publishes the root CA...

Planning Deployment of Code Signing Certificates

The deployment of a Code Signing certificate within an organization involves designing the Code Signing certificate template and planning how to deploy the certificates to the developers who perform the code signing operations. Important If you are signing applications or code that will be used by peo ple outside of your organization, it is recommended that you obtain the Code Signing certificate from a commercial vendor, such as VeriSign. This increases the amount of confidence in your...

Building Certificate Chains

The certificate chaining engine builds chains by inspecting specific extensions in a presented certificate. There are different processes the certificate chaining engine uses to determine the issuing CA's correct certificate. The actual selection is based on the current certificate's attributes. Specifically, the certificate chaining engine examines a combination of the following certificate fields and X.509 version 3 certificate extensions Authority Key Identifier AKI extension. The matching...

Choosing Publication Points

Once you choose the publication protocols, you must choose where to publish the CA certificates and CRLs. The location decision includes the physical servers where you publish the files and the servers on the corporate network intranet or extranet. Choose publication points according to the following rules If most computers are running Windows 2000 or later and are members of the forest, you should include an LDAP URL that references the Active Directory Configuration naming context. This...

Custom Certificate Policies

In many cases, an organization creates its own custom OIDs for certificate policies. This allows the organization to define certificate policy OIDs in its organization's OID space rather than use the default Microsoft OIDs. Note For more information on obtaining an OID tree for your organization, review Chapter 6, Implementing a CA Hierarchy. Custom certificate policies also allow an organization to programmatically define the exact issuance process and certificate usage. For example, an...

Key Recovery Tool

The Key Recovery Tool provides a graphical front end for the certutil command. Certification authority CA .Search Criteria ALL CERTIFICATION AUTHORITIES 3 Requester name domairAuser 3 S elect the search criteria, enter appropriate value, then click InwtradersVadministrator Search to display a list of archived keys S elect the search criteria, enter appropriate value, then click InwtradersVadministrator Search to display a list of archived keys To recover an encryption private key, select the...

Version Certificate Templates

Version 1 certificate templates were introduced with Windows 2000 Certificate Services and are available for Windows Server 2003 enterprise CAs. Attributes of version 1 cer tificate templates cannot be modified, except for the permissions assignments. When you install an enterprise CA or launch the Certificate Templates console, the following version 1 certificate templates are automatically installed in Active Directory Administrator. Allows a holder to perform trust list signing, send secure...

Enabling Key Archival in a Certificate Template

Once the CA is enabled for archival, you can create and publish certificate templates that enable key archival. To enable key archival in a certificate template, the first thing that you must do is set the purpose of the certificate template to either Encryption or Signature and Encryption. Key archival is only possible for certificate templates with these purposes. In fact, if the certificate template's purpose is Signature or Signature and Smart Card Logon, it is not possible to enable key...

Dual Certificates for EMail

Due to the risks of archiving the private key associated with a S MIME signing cer tificate, many organizations choose to implement separate certificates for e-mail signing and encryption. Deploying separate certificates ensures that only the private key associated with the e-mail encryption certificate is archived. If you implement a separate certificate template for e-mail signing, it is recom mended that you duplicate the Exchange Signature Only certificate template. When you separate the...

Defining the Mapping in Active Directory

You might have to define certificate mappings in Active Directory. The decision on whether to define a mapping in Active Directory is often based on the answers to the following questions Is the certificate issued by an enterprise CA in your forest If so, the certificate contains the user's UPN in the Subject Alternative Name extension and the CA's certificate is included in the NTAuth store of Active Directory. This enables the ability to use implicit mappings. Is the certificate issued by a...

The General

On the General tab see Figure 8-3 , you can configure the following attributes of the certificate template Template Display Name. The display name of the version 2 certificate tem plate shown in the MMC, the Certificate Services Web Enrollment pages, and the Certificate Services Enrollment Wizard. Template Name. The name of the PKI-Certificate-Template object created in the CN Certificate Templates,CN Public Key Validity Period. Defines the certificate template's validity period. Renewal...

Certificate Policy Example

An excellent example of certificate policy is the X.509 Certificate Policy for the United States Department of Defense DoD , available at www.defenselink.mil nii The DoD defines five classes of certificates in its certificate policy document. The distinction between the various classes is based on the following variables The measures taken to validate the subject's identity The value of transactions allowed for a certificate class The type of storage required for the private key material A...

Determining Certificate Validity Periods

A certificate has a predefined validity period that comprises a start date and time and an end date and time. An issued certificate's validity period cannot be changed after certificate issuance. Determining the validity period at each tier of the CA hierarchy, including the validity period of the certificates issued to users, computers, services, or network devices, is a primary step when defining a CA hierarchy. The recommended strategy for determining certificate validity periods is to start...

Requesting the Key Recovery Agent Certificate

The following process performs the initial certificate request for the Key Recovery Agent certificate. The process assumes that the certificate template has the default settings, though the permissions are defined to allow a custom global or universal group Read and Enroll permissions 1. Log on to the domain from a Windows 2000 or Windows XP computer with an account assigned Read and Enroll permissions for the Key Recovery Agent certificate template. 2. Open Microsoft Internet Explorer. Note...

Reinstalling Certificate Services

The first step in restoring the CA computer is to ensure that Certificate Services is installed correctly and can be started and stopped. If you have a good backup of Certificate Services, whether the backup is a System State backup or a manual backup, you must first reinstall Certificate Services using the same certificate and key pair. To reinstall Certificate Services, ensure that the CA certificate and private key are available to the CA. For a software-based CSP, a local administrator of...

Extending the Schema

A Windows 2000 domain must be upgraded to the Windows Server 2003 schema to support some of the new features in a Windows Server 2003 PKI. These features include Support for version 2 certificate templates. The Windows Server 2003 schema includes the definition of the version 2 certificate template object. Version 2 certificate templates allow customization of certificate content. Support for delta certificate revocation lists CRLs . A delta CRL contains the certificates revoked since the...

Network Attached HSMs on Each CA

Hsm Location Network

With the introduction of network-attached HSMs, it is now possible for an organization to deploy a single HSM for the entire network or at each location that hosts CA computers, sharing the HSM among multiple CAs. One possible deployment scenario is to connect the HSM to a corporate network. See Figure 7-7. Figure 7-7 Implementing a network-attached HSM for all CAs in the hierarchy Figure 7-7 Implementing a network-attached HSM for all CAs in the hierarchy When you implement a network-attached...

Local EFS Encryption

Once an EFS encryption certificate is designated, the EFS encryption process can begin. See Figure 16-1. Figure 16-1 The EFS encryption process 1. A user must choose to encrypt a file. This can be done by enabling an individual file for EFS encryption or by creating a file in a folder that is enabled for EFS encryption. 2. The user's computer generates a random encryption key, called a File Encryption Key FEK , used to encrypt the file. The symmetric encryption algorithm used by the FEK depends...

Revocation Reasons

When a certificate is revoked, the CRL entry can contain further information about the revocation. The reason codes can include Key Compromise. The private key associated with the certificate has been stolen or otherwise acquired by an unauthorized person, such as when a com puter is stolen or a smart card is lost. CA Compromise. The private key of a CA has been compromised. This can occur when the computer running Certificate Services or the physical device that stores the CA's private key is...

Enforcing Common Criteria Role Separation

Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, allow you to enforce Common Criteria role separation. By enforcing role separation, Certificate Services blocks any user account assigned two or more Common Criteria roles from all Certificate Services management activities. For example, if a user is assigned both the CA administrator and certificate manager roles, the user cannot perform the tasks defined for either role. If a user is assigned multiple roles,...

Case Study Adventure Works

You manage the network for Adventure Works, a travel agency in New York that specializes in radical vacation trips. The organization implements the CA hierarchy shown in Figure 18-6. OU c 1998 VeriSign, Inc. - For authorized use only OU Class 3 Public Primary Certification Authority - G2 O VeriSign, Inc. C US CA Type Enterprise Subordinate CA CA Name Adventure Works Issuing CA CA Computer Name ADVCA01 CA Validity Period 10 Years Figure 18-6 The Adventure Works CA hierarchy To provide increased...

Private Key Stored in the Local Machine Store

If the CA's private key is stored in the Local Machine store of the CA computer, by default it is possible for any member of the local Administrators group to export the CA's private key to a PKCS 12 file. If the CA is a domain member, as is typical for online CAs, the local Administrators group of the CA computer will also include the Domain Admins group from the domain where the CA's computer account exists and could also contain the forest root domain's Enterprise Admins group and other...

Implementing an Enterprise Root CA

Some organizations do not require the security enhancements of a multi-tier CA hierarchy. They only use a CA to issue certificates for the computers, users, services, and network devices on their network. There is no need for redundancy or to provide a high-assurance trust model. In these circumstances, a CA hierarchy consisting of a single CA can be deployed. An example of this is the CA hierarchy for Margie's Travel. See Figure 6-2. Note It is always recommend to use Windows Server 2003,...

Modifying Version Certificate Template Permissions

Version 1 certificate templates allow the permission settings for the certificate tem plate to be modified. You cannot modify the contents of a version 1 certificate tem plate, however. Figure 8-1 shows the Security tab for a version 1 certificate template. eneral Request Handling Subject Name Extensions Corp_Enrollment_agents REDMOND Corp_Enrollment_agents j Enterprise Admins CORPVEnterprise Admins j OU-ITGCA-Admin REDMOND OU-ITGCA-Admin Peimissions for Authenticated Users Allow or special...

Name Constraints

Name constraints define the namespaces that are allowed or disallowed in certificates issued by CAs subordinate to the CA that issues the Cross Certification Authority certificate. For example, if you want to implement name constraints on a CA owned by A Datum Corporation, you can define allowed namespaces for all forms of the Adatum.msft domain used in certificates you wish to recognize. This can include the following formats DirectoryName DC Adatum,DC msft Note You must define each name...

Submitting the Cross Certification Authority Request

Once the CMC certificate request file is generated, it must be submitted to an enterprise CA to request the Cross Certification Authority certificate. The Cross Certification Authority certificate template must be published at the CA where the request is submitted. Use the following procedure to submit the request 1. Open the Certification Authority console. 2. In the console tree, right-click CAName where CAName is the name of the enterprise CA , point to All Tasks, and click Submit New...

Revoking a Certificate

To revoke a certificate, a user must be designated as a certificate manager by assigning the user or a group the user is a member of the Issue and Manage Certificates permission at the issuing CA. The permission assignment is performed by a CA Administrator or a user assigned the Manage CA permissions. You can use the following process to verify the permission assignment 2. From Administrative Tools, open the Certification Authority console. 3. In the console tree, right-click CAName where...

Designing CA Configuration Security Measures

CA configuration security measures refer the configuration of Certificate Services or the configuration of the Microsoft Windows Server 2003 operating system. Measures you can take to configure CA configuration security include Defining security templates for both offline and online CAs. Security templates allow you to define baseline security configuration for a category of server computers, such as CAs. Settings that should be considered for inclusion in a CA security template are Disable...

Choosing Publication Protocols

Determining the protocols used for CA certificate and CRL retrieval is the first step in choosing publication points. The following protocols are available with Windows Server 2003 PKI HTTP. The Hypertext Transfer Protocol HTTP provides the most flexibility. Almost all client computers have a Web browser installed that allows access to HTTP URLs. The HTTP protocol is also useful when computers that are not members of the forest require access to the CA certificate or CRL. The CA certificate and...

CAPolicyinf File

The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever you renew a CA certificate. The CAPolicy.inf file defines settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy. The CAPolicy.inf file provides the following information for a root CA Certificate revocation list CRL publication points. When validating a certificate chain, the certificate chaining engine must validate every...

Layer Two Tunneling Protocol LTP with IP Security

Layer Two Tunneling Protocol L2TP combines the strengths of PPTP and Cisco's Layer Two Forwarding L2F . When using L2TP, the original PPP data is encapsu lated in an L2TP header, and then the combined PPP data and L2TP header is encap sulated in a User Datagram Protocol UDP header connecting to UDP port 1701 at both the client and the server. See Figure 19-2. L2TP does not have a built-in encryption mechanism like PPTP. To provide encryption for L2TP communications, Internet Protocol Security...

Enabling and Disabling EFS

An organization might not want to allow EFS encryption on all Windows 2000 or Windows XP network computers, preferring instead to enable EFS encryption for specific OUs or domains. To enable EFS encryption on a Windows 2000 computer, you must ensure that an EFS recovery policy is implemented at the domain or OU containing the computer account that designates one or more EFS Recovery Agent certificates. Windows XP can implement EFS encryption without designating an EFS Recovery Agent. Note In a...