The Best Damn Windows Server 2003 Book Period- P87

The Best Damn Windows Server 2003 Book Period- P87:The latest incarnation of Microsoft’s server product,Windows Server 2003, brings manynew features and improvements that make the network administrator’s job easier.Thischapter will briefly summarize what’s new in 2003 and introduce you to the four membersof the Windows Server 2003 family: the Web Edition, the Standard Edition, theEnterprise Edition, and the Datacenter Edition.
Nội dung trích xuất từ tài liệu:
The Best Damn Windows Server 2003 Book Period- P87836 Chapter 24 • Planning, Implementing, and Maintaining a Public Key Infrastructure 1. Create an account to be used for key recovery. 2. Create a new template to issue to that account. 3. Request a key recovery certificate from the CA. 4. Have the CA issue the certificate. 5. Configure the CA to archive certificates by using the Recovery Agents tab of the CA property sheet (shown in Figure 24.5). 6. Create an archive template for the CA. Figure 24.5 Recovery Agents Tab of the CA Property Sheet Each of these steps requires many substeps, but can be well worth the time and effort. It is worth noting again that key recovery is not possible on a stand-alone CA, because a standalone cannot use templates. It is also worth noting that only encryption keys can be recovered – private keys used for digital signatures cannot be. Planning CA Security As we have already discussed, configuring the root CA as a standalone is probably the most impor- tant measure you can take to prevent accidental or intentional tampering. With no network connec- tivity, attacks become virtually impossible, as a user would have to log on while sitting at the physical location of the server. Other security considerations are really more a function of general server security – things such as requiring complex passwords, implementing file encryption and physically limiting access to the server. In guarding the hierarchy, you cannot solely concentrate on the root CA. After all, if a subordi- nate CA is tampered with, every entity below it in the PKI hierarchy becomes compromised. Most Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 24 837subordinate CAs are attached to the network.This obviously increases their vulnerability. Beyondsecuring the network itself (by using IPSec and group policies, for example), there is another part ofa standard PKI that helps maintain CA integrity.That part is certificate revocation, which we will gointo in greater detail shortly. Certificate revocation enables an administrator to warn PKI clientsabout certificates that might not be authentic or that might have been issued by a rogue CA. Disaster recovery applies to every CA in the hierarchy, but especially at the root.That beingsaid, the importance of performing proper backups cannot be overstated.Certificate RevocationA CA’s primary duty is to issue certificates, either to subordinate CAs or to PKI clients. However,each CA also has the capability to revoke those certificates when necessary.The tool that the CAuses for revocation is the certificate revocation list, or CRL.The act of revoking a certificate is simple:from the Certification Authority console, simply highlight the Issued Certificates container,right-click the certificate and choose All | Revoke Certificate.The certificate will then belocated in the Revoked Certificates container. When a PKI entity verifies a certificate’s validity, that entity checks the CRL before givingapproval.The question is: how does a client know where to check for the list? The answer is theCDPs, or CRL Distribution Points. CDPs are locations on the network to which a CA publishesthe CRL; in the case of an enterprise CA under Windows Server 2003, Active Directory holds theCRL and for a standalone, the CRL is located in the certsrv\certenroll directory. Each certificate has alocation listed for the CDP, and when the client views the certificate, it then understands where togo for the latest CRL. Figure 24.6 shows the Extensions tab of the CA property sheet, where youcan modify the location of the CDP.Figure 24.6 Extensions Tab of the CA Property Sheet For a CA to publish a CRL, use the Certification Authority console to right-click theRevoked Certificates container and choose All Tasks | Publish. From there, you can choose topublish either a complete CRL or a Delta CRL.838 Chapter 24 • Planning, Implementing, and Maintaining a Public Key Infrastructure Whether you select a New CRL or a Delta CRL, you are next prompted to enter a publication interval (the most frequent intervals chosen are one week for full CRLs and one day for Delta CRLs). Clients cache the CRL for this period of time and then check the CDP again when the period expires. If an updated CDP does not exist or cannot be located, the client automatically assumes that all certificates are invalid. Planning Enrollment and Distribution of Certificates For a PKI client to use a certificate, two basic things must happen. First, a CA has to make the cer- tificate available and second, the client has to request the certificate. Only after these first steps can the CA issue the certificate or deny the request. Making the certificate available is done through the use of certificate templates and is a topic that we discuss in detail below. As for the client, there are three methods of requesting certificates – all three of which are essential to a thorough under- standing of PKI: auto-enrollment, the Certificates snap-in, and the Certificates web page. We will discuss each in more detail in the section titled Certificate Requests. Certificate Templates A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. Many built-in templates can be viewed using the Certificate Templates snap-in (see Figure 24.7).The snap-in can be run by right-clicking the Certificate Templates container located in the Certification Authority console and clicking Manage.You can use one of the built-in templates or create your own. Figure 24.7 Certificate Templates S ...