Overview of Certificate Templates

Certificate templates are the sets of rules and settings that define the format and content of a certificate based on the certificate's intended use. Certificate templates also provide the client with instructions on how to create and submit a valid certificate request. In addition, certificate templates define which security principals are allowed to read, enroll, or autoenroll for certificates based on that template. Certificate templates are configured on a CA and are applied against the...

Questions and Answers

By default, how often does IPSec regenerate Main Mode keys 8-15 c. Main Mode generates a new key every 480 minutes by default, which is equal to 8 hours. 2. Which mode would you use to protect communications between two private networks connected by the Internet b. You must use tunnel mode to connect two networks. 3. Which mode would you use to protect communications between an IPSec-enabled e-mail client and an e-mail server on a private network a. While you could theoretically use...

Objective Questions

You are the systems administrator responsible for maintaining 20 computers running Windows Server 2003, Web Edition, at a large Web-hosting company named A. Datum Corporation. You administer each system remotely by means of the Remote Desktop client. Each computer running Windows Server 2003, Web Edition, has a separate partition named drive Z that hosts the i386 installation files. This is so that as components are added or removed you do not have to go down to the server cage and manually...

Correct Answers E

Incorrect Although this process is known as slipstreaming, this is not the command used to update the files in the z i386 directory. The correct command is update.exe -s z i386. B. Incorrect Although the switch applied to the update command is correct, the target folder in this case is the c windows system32 directory rather than the z i386 directory. The correct command is update.exe -s z i386. C. Incorrect Although this process is known as slipstreaming, this is not the command used to...

Software Update Services

SUS, a free download that can be installed on Windows 2000 Server-based and Windows Server 2003-based computers that have Internet Information Services (IIS) installed, provides administrators with a local alternative to the Microsoft Windows Update servers. Using the Automatic Updates client, computers on your network can automatically download and install updates from your SUS server. The easiest way to install IIS is to use the Manage Your Server tool and add the Application Server role. For...

Creating Restricted Groups Policy

Earlier in this chapter, you learned that you can assign rights to computers by using both the groups stored on individual computers and groups stored in Active Directory. It would be difficult, however, to manually add a new IT group that you created in Active Directory as a member of the Administrators local group on every computer in an enterprise. Fortunately, you can use security policies to control local group memberships on domain member computers. Windows Server 2003 includes a security...

Practice Assessing Patch Levels on the Current Network

In this practice, you will asses the patch levels on your network by using both the graphical and command-line MBSA tools. Exercise 1 Assess Patch Levels on the Current Network Using MBSA In this exercise, you will install MBSA and scan your local network. 1. Log on to the cohowinery.com domain on Computer1 using the Administrator account. 2. Temporarily connect Computer1 to the Internet, and download MBSA from http 3. Transfer the MBSA setup files to Computer and install MBSA. 4. Start MBSA by...

Securing trusts with SID filtering

Windows grants or denies users access to resources by using access control lists (ACLs). ACLs use security identifiers (SIDs) to uniquely identify principals and their group membership. Every SID is made up of two parts a domain SID that is shared by all principals for that domain, and a relative ID (RID) that is unique to the principal within the domain. When a principal's credentials are verified during authentication, a process known as the local security authority subsystem (lsass.exe)...

Obtaining SSL Certificates

To use SSL, the server must have a suitable public key certificate. Additionally, some SSL scenarios allow or require the client to use a public key certificate. SSL is one of the most common uses for public key certificates, and, as a result, you can obtain SSL certificates from a wide variety of places. Any organization with a computer running Windows Server 2003 can deploy Certificate Services to issue SSL certificates without any additional cost. These certificates are suitable for intranet...

Inheriting Permissions

When you assign permissions directly to an object, you create an explicit permission. Assigning explicit permissions to every individual folder, file, registry value, and Active Directory object would be a ponderous task. In fact, managing the massive number of ACLs that would be required would significantly impact the performance of Windows Server 2003. To make managing permissions more efficient, Windows Server 2003 includes the concept of inheritance. When Windows Server 2003 is initially...

Q

To script the creation of local or Active Directory-based IPSec policy on computers running Windows 2000, you can use Ipsecpol.exe, a command-line tool that is provided with the Windows 2000 Server Resource Kit. Ipsecpol.exe is not a full-featured command-line or scripting tool (for example, you cannot use Ipsecpol.exe to delete or rename filter lists or filter actions), nor is it supported under any Microsoft standard support program or service. IPSecPol, thankfully, uses syntax that is very...

The MBSA Console

Microsoft Baseline Security Analyzer (MBSA), which was also discussed in Chapter 4, is used to analyze one or more computers for vulnerabilities in two categories weak security configurations and missing security updates. This section focuses on using MBSA to scan for updates that should have been installed but have not been. After installing MBSA, you can use it to scan all computers on your network or domain for which you have administrator access. To scan all computers on a specific subnet...

Deploying IPSec by Using Active Directory

If your organization has an Active Directory domain, you should almost always use Active Directory to deploy IPSec. The primary tool for building IPSec policies is the graphical user interface provided by the IP Security Policy Management snap-in. You can use the IP Security Policy Management snap-in to create, modify, and activate IPSec policies, and then assign them to a domain, site, or organizational unit (OU) in Active Directory by using the Group Policy Object Editor snap-in. Tip To...

Lesson Understanding the Components of an Authentication Model

In this lesson, you will learn the meaning of the term authentication, and how it differs from authorization. You will understand that network authentication is similar in function to the common methods of authenticating people in the physical world. You will learn how to optimize the security of authentication in Windows Server 2003 environments while ensuring compatibility with every client that will access your network resources. Finally, you will explore the tools provided for...

Practice Deploying IPSec Configurations

In this practice, you will deploy IPSec by using two methods using an Active Directory GPO and importing a policy from the command line. Exercise 1 Configuring Certificate Services for IPSec Authentication In this exercise, you will configure Certificate Services to enroll IPSec certificates, enroll Computerl and Computer2, and then deploy an IPSec policy requiring certificates authentication by using an Active Directory-based GPO. First, install Certificate Services if it is not yet installed...

Practice Configuring IP Security Policies

In this practice, you will configure two types of IP security policies one for packet filtering and one for authentication and data integrity. Exercise 1 Configure Packet Filtering In this exercise, you will configure packet filtering on Computerl to allow all traffic from the 192.168.1.0 network, but to allow only Web requests from other networks. First, you will create two IP filter lists to identify internal traffic and Web traffic from any network. 1. Log on to the cohowinery.com domain on...

Event Viewer

As with many features of Windows Server 2003, you can configure IPSec to add events to the event logs. This is useful for verifying that IPSec is functioning correctly, for troubleshooting problems with IPSec, and for detecting successful or unsuccessful intrusion attempts. IPSec can generate events for two types of actions successful and unsuccessful negotiations and dropped packets. Off the Record I'm not a fan of using Event Viewer to troubleshoot IPSec problems. The fact is, the events...

Configuring Wireless Clients

The first step to configure a wireless client is to ensure that the computer has the software required to authenticate and connect to your wireless network. Computers running Windows 2000 require the Microsoft 802.1X Authentication Client, available from Additionally, you must start the Wireless Zero Configuration service and set its startup type to Automatic. If you plan to use WPA with any Windows client, including Windows XP and Windows Server 2003, you must install the Windows WPA client...

Correct Answers D

Incorrect Remote access policies are not configured by GPO. They are configured on a Routing and Remote Access server and applied to groups or to individual users. B. Incorrect Remote access policies are not configured by GPO. They are configured on a Routing and Remote Access server and applied to groups or to individual users. C. Incorrect This particular remote access policy does not set the encryption level to MPPE 128, but to MPPE 56. Remote access policies can only apply to individual...

Practice Monitoring IPSec

In this practice, you will use several techniques to monitor IPSec traffic on Computerl and Computer2. Exercise 1 Monitor IPSec with the IP Security Monitor In this exercise, you will monitor IPSec by using the IP Security Monitor snap-in. 1. Log on to the cohowinery.com domain on Computer2 using the Administrator account. 2. Open a blank MMC console, and then add the IP Security Policy Management snap-in. When prompted to select the computer or domain, select Local Computer. 3. In the right...

Analyzing Group Policy using the registry

When Group Policy objects are applied to a computer, the computer stores important information about the Group Policy objects it is applying in the last place you'd look the registry. Information about computer policies is stored under the Pol-icy History key. Information about user policies (relating to the currently logged on user) is stored under the Policy History key. To view this information, follow these steps 1. Click Start, and then click Run. Type Regedit, and then click OK. 2. In the...

Windows Server Certificate Services

A PKI can be used to dramatically increase the security of an organization's network. To make the task of implementing a PKI simpler, Windows Server 2003 includes Certificate Services to help your organization implement PKI. You can use Certificate Services to create a single CA or an entire hierarchy of CAs. Windows Server 2003 also Off the Record Most applications do not analyze the reason code. If a certificate is includes several tools for managing CAs, certificates, and certificate...

Certificate Enrollment Methods

A Windows Server 2003 CA provides several methods for certificate enrollment. Your choice of enrollment method for issuing certificates will be dictated by the type of CA that you are requesting the certificate from and whether the client and CA can communicate across a network. For example, a standalone CA does not have the ability to automatically issue a certificate therefore, autoenrollment is not an option. Additionally, a computer that is not connected to the network cannot automatically...

Deploying Security Templates Using Active Directory

Most environments with security requirements complex enough to require the use of security templates will also deploy Active Directory to simplify the management of the computers. Active Directory makes it easy to deploy a security template to the computers in your domain by using Group Policy. Windows XP, Windows 2000, and Windows Server 2003 use Group Policy to configure a variety of security and non-security settings. All systems have a Local Group Policy which, in the absence of a higher...

Account lockout

You can use the remote access account lockout feature to specify how many times a remote access authentication can fail against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access VPN connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary...

Lesson Analyzing Security Configurations

Over time, security configurations degrade unless they are maintained. When new vulnerabilities are discovered, updates must be applied to protect against attacks. When administrators troubleshoot problems, they might leave a computer in a less secure state than it was in when they began the troubleshooting. Fortunately, Microsoft provides tools to analyze Windows Server 2003 and other recent Windows operating systems for potential security vulnerabilities. This lesson will cover the most...

Certificate Template Usage

Certificates have the potential to be used by a wide variety of applications. After all, a certificate is simply a piece of data. The operating system and the applications are responsible for using that data to perform functions such as encrypting messages and authenticating connections. However, there are many different templates designed to be used for various purposes. To specify how a certificate template can be used, you configure the application policies. Application policies, also known...

Configure Security Templates

Security templates are text files that store policy settings from the Security node in an Active Directory Group Policy. These text files can be imported and applied to GPOs, altering the settings in the GPO to conform to a particular security standard. Because they are text files, security templates are often far easier to manipulate than GPOs. Security templates can be edited in two ways. The first is by using the Security Template snap-in of the Microsoft Management Console. This method is...

Software Restriction Policies

Software restriction policies are a feature in Windows XP and Windows Server 2003 that can be used to regulate unknown or untrusted software. Businesses that do not use software restriction policies put the burden of identifying safe and unsafe software on the users. Users who access the Internet must constantly make decisions about running unknown software. Malicious users intentionally disguise viruses and Trojans to trick users into running them. It is difficult for users to make safe...

Group Scopes

Each group in Windows Server 2003 has a scope attribute, which determines which security principals can be members of the group and where you can use that group in a multidomain or multiforest environment. Windows Server 2003 supports the following group scopes Tip Security groups do everything distribution groups do, and more. However, distribution groups should be used whenever possible because they do not become part of a user's security token. This makes the authentication process quicker...

Scenario

A user is attempting to use Web enrollment to install a certificate, using a certificate template that you recently created. After following the instructions you provided for enrollment, the user is receiving the error Your certificate request was denied, as shown in Figure 7.21. Microsoft Certificate Services - Microsoft Internet Explorer 1 File Edit View Favorites Tools Help QBack T O T 0 i Search Favorites Media lt Address http computer 1 certsrv certfnsh. asp 1 Microsoft Certificate...

Exporting Keys

The simplest method for backing up a key pair is to manually export the key, protect it with a password, and store the export media in a secure location. A PKI uses several formats for importing and exporting certificates, certificate chains, and private keys. When a user exports a certificate by using the Certificates console, the Certification Authority console, Certutil.exe, or Internet Explorer, the PKCS 7 and PKCS 12 export formats are available. The PKCS 7 format, also known as the...

Key Recovery

After a key is archived, a key recovery agent can use key recovery to recover a corrupted or lost key. At a high level, the certificate manager retrieves the encrypted file that contains the certificate and private key from the CA database. A KRA then decrypts the private key from the encrypted file and returns the certificate and private key to the user. At a more detailed level, key recovery performs the following process 1. A certificate manager for the CA that issued the certificate...

Using Group Policy Object Editor

You can use the Group Policy Object Editor snap-in to immediately apply configuration settings to the Local Group Policy object on a computer. To do this, follow these steps 1. Open a blank MMC console by clicking Start and then clicking Run. Type mmc, and then click OK. 2. On the File menu, click Add Remove Snap-In. 3. Click Add, click Group Policy Object Editor, and then click Add. The Group Policy Wizard appears. The Local Computer GPO should be selected by default. 5. Expand Local Computer...

Practice Superseding Certificate Templates

In this practice, you will supersede multiple existing certificate templates. Exercise Superseding Multiple Certificates In this exercise, you will supersede the User certificate template with a new version 2 certificate template. 1. Log on to the cohowinery.com domain on Computer1 using the Administrator account. 2. Click Start, click Run, type certtmpl.msc and then click OK. 3. Right-click the User template and then click Duplicate Template. 4. In the Properties Of New Template dialog box,...

Certificate Template Permissions

Certificate template permissions define the security principals that can read, modify, enroll, or autoenroll for certificates based on certificate templates. You must define the permissions for each certificate template to ensure that only authorized users, computers, or group members can obtain certificates based on a certificate template. Planning Be sure that you know the members of a group before you issue certificates to that group. Improper planning could lead to a security risk caused by...

Authentication Methods

Because dial-up, PPTP, and L2TP all use PPP for authentication, they all support the same authentication methods. There are several authentication methods available. Some you will already be familiar with because they are the same methods used for wireless networks or IPSec. Others are used primarily for authenticating remote access users. When choosing a remote access authentication method, you must first choose between authenticating users against a Remote Authentication Dial-In User Service...

Configuring Client Side Authentication Protocols

You create a remote access connection by using the New Connection Wizard, as described in Lesson 2, Exercise 2. However, the New Connection Wizard does not allow you to configure the acceptable authentication or encryption settings for the connection. To view or modify the authentication protocols enabled for a remote access connection on the client, open the properties dialog box of the dial-up or VPN connection on the client, and then click the Security tab. Note This lesson describes the...

Key Terms

Background Intelligent Transfer Service BITS A service that transfers data between from the Software Update Services or Windows Update server to the Automatic Updates client with minimal impact to other network services. slipstreaming The process of integrating a service pack into operating system setup files so that new computers immediately have the service pack installed. Page 1. By default, where do MBSA and MBSACLI store security reports 6-13 b. C Documents and Settings username c. C...

Deploying Certificate Services for IPSec

Although Kerberos is the simplest way to authenticate IPSec peers, certificates provide greater flexibility for authenticating non-Windows IPSec peers and other computers that are not members of an Active Directory domain. In Windows 2000 and Windows Server 2003, you can use Certificate Services to automatically manage computer certificates for IPSec authentication. IPSec also supports the use of a variety of non-Microsoft X.509 public key infrastructure PKI systems. Windows Server 2003 IKE has...

Methods for Updating a Certificate Template

In your CA hierarchy, you might have one certificate template for each job function, such as file encryption or code signing, or a few templates that cover functions for most common groups of subjects. You might have to modify an existing certificate template as a result of incorrect settings that were defined in the original certificate template, or you might want to merge multiple existing certificate templates into a single template. There are two methods for modifying a version 2...

Configuring the Certificate Infrastructure

Regardless of which authentication method you choose, you will need at least one computer certificate to use 802.1X authentication. This certificate must be installed on the IAS servers that will perform RADIUS services. For computer authentication with EAP-TLS, you must also install a computer certificate on the wireless client computers. A computer certificate installed on a wireless client computer is used to authenticate the wireless client computer so that the computer can obtain network...

Resultant Set Of Policy snapin

The Resultant Set Of Policy RSoP snap-in provides a familiar user interface that shows you the effective setting for each of the security template policies. It is an excellent way to verify that the settings you've configured in your security templates are applied to target systems as you expected. If a policy setting is not what you expected, RSoP identifies the Group Policy object responsible for defining the policy. Figure 3.10 shows RSoP displaying password policies. jj File Action View...

IP Security Monitor SnapIn

IP Security Monitor is a Windows XP and Windows Server 2003 snap-in used to monitor and troubleshoot IPSec. If an IPSec policy is active, you can use this console to examine the policy and its operations. Information in the IP Security Monitor snap-in is divided into three nodes Active Policy, Main Mode, and Quick Mode. The Active Policy node, as shown in Figure 9.4, displays information about the currently assigned policy. This information includes the policy's name, last modified date, and...

Troubleshooting SSL

Troubleshooting SSL-encrypted connections is difficult because, like IPSec connections, the traffic is encrypted. In some ways, troubleshooting SSL is even more difficult than troubleshooting IPSec because of the wide variety of Web browser clients that need to be able to analyze your public key certificate and establish an HTTPS connection to your Web server. Though the problems are much less frequent than they were in the late 1990s when the use of HTTPS was only beginning to gain popularity,...

Deploying IPSec Using Scripts

If a computer is not a member of a Windows 2000 domain or a Windows Server 2003 domain, it cannot retrieve IPSec policy from Active Directory. However, as Chapter 8 described, you can use the Netsh, Ipseccmd.exe, and Ipsecpol.exe command-line tools to create IPSec scripts. You can then include these scripts as startup scripts for each computer on your network. You can use Ipsecpol.exe only on computers running Windows 2000, Ipseccmd.exe only on computers running Windows XP, and the Netsh...

Exercise Creating a Certificate Using the Certificates Snapin

In this exercise, you will create a certificate by using the Certificates snap-in. To do so 1. Log on to the cohowinery.com domain on Computerl using the Administrator account. 2. Click Start, and then click Run. Type mmc, and then click OK. 3. Click File, and then click Add Remove Snap-In. 4. Click Add. In the Add Remove Snap-In dialog box, click Certificates, and then click Add. 5. Click My User Account, and then click Finish. Click Close, and then click OK. 6. Expand Certificates, and then...

Publishing CRLs

If you need to download a file from a server, you might access the file in several different ways. If you're logged onto the computer locally, you would use Windows Explorer to navigate to the folder containing the file. If you were on a different computer on the same network, you might map a drive to the server and download the file from a shared folder. If the server was behind a firewall and running IIS, you could open a Web browser to retrieve the file. Having multiple ways to retrieve a...

Manytoone client certificate mapping

Many-to-one certificate mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as the issuer or subject. This mapping does not identify individual client certificates it accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all the same user information, the existing mapping will still work. Certificates do not need to be exported for use in many-to-one mappings. To add...

Practice Configuring a CA Hierarchy

In this practice, you will configure Computerl as a root CA and Computer2 as a subordinate CA. To complete these exercises, Computerl and Computer2 must both be domain controllers in the same domain, as described in the Before You Begin section of this chapter. In this exercise, you will install Certificate Services on Computerl and configure Computerl as an enterprise root CA. 1. Log on to the cohowinery.com domain on Computerl using the Administrator account. 2. Open Add Or Remove Programs in...

Troubleshooting CRL Publishing

You might occasionally discover a client that does not have a published CRL that the client should have retrieved. While publishing and retrieving CRLs is designed to be as automated as possible, you do have the ability to manually publish and retrieve CRLs for troubleshooting purposes. Certutil.exe is a command-line program that is installed along with Certificate Services. It provides a useful interface to a wide variety of Certificate Services functionality. To manually retrieve the latest...

Info

Off the Record There's one way to use multiple security policies on a single computer by using virtual machines. I use virtual machines extensively to run multiple instances of different operating systems on a single computer simultaneously. Enterprises often use virtual machines in servers to avoid conflicts between server applications, such as the limitation of having a single IPSec policy applied to a computer. I use Microsoft Virtual PC 2004. You can find information about this software at...

Authentication methods used with trusts in Windows Server

Because trusts allow you to facilitate access to resources in a multidomain environment, it is important that you use the most secure authentication protocol whenever possible when creating trusts between domains and realms. You also need to understand the various authentication types associated with each trust type. For example, if you have secured your authentication in your organization to accept only Kerberos authentication, an external trust to a Windows NT 4.0 domain will fail because a...

Certificate Revocation List Checking

As you learned in Chapter 7, certificate servers issue Certificate Revocation Lists CRLs to update clients when certificates are revoked. For a client computer to validate a certificate completely, it must check the CRL to verify that the certificate has not been revoked by the issuer. Because the standards for checking CRLs were still evolving when Windows 2000 was released, computers running Windows 2000 do not automatically check CRLs for certificates used in IPSec authentication. If you...

Configuring IAS

IAS is a component of Windows Server 2003 that provides RADIUS services capable of authenticating users based on information contained within Active Directory. When configuring the security of a wireless network, you must configure the IAS server to use specific authentication methods and to grant access to authorized users. This configuration is done by using two types of policies Remote Access Policies RAP and Connection Request Policy CRP . See Also For more information about IAS, including...

Exercise Creating a Certificate Using Web Enrollment

In this exercise, you will create a Basic EFS certificate by using the manual Web enrollment process. To request a certificate by using the Web Enrollment Web site 1. Log on to the cohowinery.com domain on Computer1 using the Administrator account. 3. In the address bar of Internet Explorer, type http computer1 certsrv. Click Go. 4. If you are not automatically authenticated, provide your user name and password when prompted, and then click OK. The Web interface for manually enrolling for...