70-293 MCSE Guide to Planning a Microsoft Windows Server 2003 [1]...

70-293: MCSE Guide to Planning a Microsoft Windows

Server 2003 Network Chapter 9:

Planning and Managing Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

2

Objectives

• Describe the types of cryptography• Understand how cryptography is used for encryption

and digital signatures• Understand the components of Certificate Services• Install and manage Certificate Services• Manage certificates• Implement smart card authentication


3

Cryptography

• Cryptography: encrypting/decrypting data to ensure they are read only by the intended recipient

• Encrypted messages are unreadable• Decryption

• Reverse of encryption

• Makes the data readable again


4

Cryptography (continued)

• Four objectives of cryptography• Confidentiality

• Integrity

• Nonrepudiation

• Authentication


5

Cryptography (continued)

• Cryptography uses keys:• A large number (a series of numbers, letters, and symbols)

• Large and difficult to guess

• Used with an algorithm to encrypt and decrypt data

• Three types of encryption• Symmetric

• Asymmetric

• Hash


6

Symmetric Encryption

• Uses a single key • A computer can symmetrically encrypt large amounts

of data quickly• Used when encrypting files and large amounts of data

across network transmissions


7

Asymmetric Encryption

• Uses two keys: public key and private key• Anything encrypted by the public key can be

decrypted with the private key and vice versa


8

Hash Encryption

• Hash encryption is unique because it is one-way• Hash algorithm uses a single key to convert data to a

hash value• The hash value is a summary of the data• The purpose of a hash value is to be a unique

identifier, not to secure data


9

Uses for Cryptography

• Three common tasks that use different types of encryption are:• Encrypting e-mail

• Ensuring data integrity with digital signatures

• Securing data communication with Secure Sockets Layer (SSL)


10

Encrypting E-mail• Encrypting e-mail ensures that a message in transit

cannot be read by unauthorized people• Uses the public and private keys of the recipient:

• Sender creates an e-mail message

• E-mail software encrypts using the recipient’s public key

• Recipient’s public key may be published in a directory or given to the sender via e-mail before encryption

• Encrypted message is then sent to the recipient• Recipient’s e-mail software decrypts the message using the

recipient’s private key


11

Encrypting E-mail (continued)


12

Digital Signatures

• A digital signature is a hash value that is encrypted and attached to a message

• Ensures that a message has not been modified in transit and that it truly came from the named sender

• This is important when electronically delivering information such as contracts and agreements

• The public and private keys of the sender are used for a digital signature


13

Digital Signatures (continued)


14

Secure Sockets Layer

• Secure Sockets Layer (SSL) is a Transport Layer protocol that can be used with any application protocol that is designed to communicate with it

• SSL secures communication between Web servers and Web browsers, e-mail clients and e-mail servers, and other service combinations

• Servers are the only participants in SSL that must be configured with a public key and a private key


15

Secure Sockets Layer (continued)


16

Certificate Services Components

• Certificate Services is the Microsoft implementation of PKI (Public Key Infrastructure)• PKI creates and manages public keys, private keys, and

certificates

• PKI using Certificate Services is composed of:• Certificates

• Certification authority (also known as certificate authority)

• A Certificate Revocation List (CRL)

• Certificate-enabled applications


17

Certificates

• A certificate contains information about a user or computer and a public key

• A certificate defined by the X.509 standard has fields:• Subject (or user name)

• Serial number

• Validity period

• Public key

• Issuer name

• Issuer signature


18

Certification Authority

• A certification authority (CA) is a server that issues certificates to client computers, applications, or users

• The CA is responsible for taking certificate-signing requests from clients and approving them

• As part of the approval process, the identity of the requester is verified


19

Activity 9-1: Viewing Trusted Root Certification Authorities

• The purpose of this activity is to view the trusted root certification authorities installed by default on Windows Server 2003


20

Certificate Revocation List

• The certification authority maintains a Certificate Revocation List (CRL), which is a list of certificates issued by the CA that are no longer valid• The administrator adds certificates to this list

• It is not created automatically

• Each certificate issued by the CA has an expiration date


21

Certificate-enabled Applications

• Windows client computers can store certificates in a place that can be used by multiple applications

• Many certificate-enabled applications running on Windows use this central windows store, but other applications store certificates in a private database

• Common applications for certificates include: • e-mail clients

• Web browsers

• smart cards


22

Installing and Managing Certificate Services

• Two classes of CAs• Enterprise

• Stand-alone

• An enterprise CA• Integrates with Active Directory

• Has an expanded feature set

• Can use certificate templates

• Certificate creation process is entirely automated


23

Installing and Managing Certificate Services (continued)

• A stand-alone certification: • Does not integrate with Active Directory

• Unable to issue certificates automatically based on a user object in Active Directory

• All certificate requests must be manually approved by an administrator

• Certificate templates cannot be used by a stand-alone certification authority

• Cannot issue certificates used for smart card authentication


24

Certificate Hierarchy• Chain of trust where client computers and

applications are assured that a certificate is valid• The hierarchy is either a root certification authority or

a subordinate certification authority• A subordinate certification authority is certified by

another certification authority• After certification, subordinate can issue certificates

based on the trusted status of the certification authority that certified it


25

Certificate Hierarchy (continued)


26

Installing Certificate Services

• When installing a CA you must choose which type:• Enterprise root CA

• Standalone root CA

• Enterprise subordinate CA

• Stand-alone subordinate CA.

• Can configure custom settings for the key pair and CA certificate


27

Activity 9-2: Installing Certificate Services

• The purpose of this activity is to install Certificate Services and configure your server as an enterprise root certification authority


28

Back Up and Restore Certificate Services

• Certificate Services is normally backed up as part of the daily backup process on Windows Server 2003

• Certificate Services is included with the backup of system state data

• Can back up and restore manually just Certificate Services using the CA snap-in


29

Activity 9-3: Backing Up Certificate Services

• The purpose of this activity is to perform a manual backup of Certificate Services


30

Activity 9-4: Restoring the Certificate Services Database

• The purpose of this activity is to perform a manual restore of Certificate Services


31

Managing Certificates

• Tasks related to issuing and managing certificates are:• Issuing certificates

• Renewing certificates

• Revoking certificates

• Publishing a Certificate Revocation List

• Importing and exporting certificates

• Mapping accounts to certificates

• A command-line utility, CERTUTIL, can be used to manage both certificates and Certificate Services


32

Issuing Certificates

• Certificates can be requested using• Certificate Request Wizard

• Certificate Services Web pages

• Autoenrollment

• The Certificate Request Wizard and autoenrollment are available only for enterprise certification authorities

• Certificate Services Web pages can be used by both stand-alone and enterprise certificate authorities


33

The Certificate Request Wizard

• The Certificate Request Wizard is run by users to create certificates

• The types of certificates that can be created are controlled by certificate templates

• The administrator can create, configure, and control access to these templates

• Users can create certificates based on the templates to which they have either read or enroll permissions


34

Activity 9-5: Requesting a Certificate

• The purpose of this activity is to request a user certificate using the Certificate Request Wizard


35

Certificate Services Web Pages

• The Certificate Services Web pages can be used to request certificates from both enterprise certification authorities and stand-alone certification authorities

• IIS is required for the Certificate Services Web pages


36

Autoenrollment

• Autoenrollment issues certificates automatically • To enable autoenrollment:

• Duplicate an existing certificate using Certificate Templates snap-in

• Select Publish certificate in Active Directory• On the Security tab, add the required users or groups, and

assign them the enroll and autoenroll permissions• Enable the new certificate template in the CA snap-in• Configure a group policy to enable Enroll certificates

automatically


37

Renewing Certificates

• All certificates are issued with an expiration date• If a certificate becomes compromised, it is not a security

risk for an extended period of time

• If an employee unexpectedly leaves, employee won’t have access to company resources after expiration

• To avoid an interruption in service, a user must renew a certificate before it expires


38

Revoking Certificates

• When a certificate has been compromised or a user has left the company, you need to revoke it

• This places the certificate on the CRL of the certification authority

• Windows 2000 and newer clients automatically download the CRL for Active Directory

• A CRL has a default lifetime of seven days


39

Activity 9-6: Revoking a Certificate

• The purpose of this activity is to revoke a certificate and publish a new CRL


40

Importing and Exporting Certificates

• If you want to move or copy certificates from one computer to another, you can choose from these standard formats:• DER encoded binary X.509

• Base-64 encoded X.509

• Cryptographic Message Standard

• Personal Information Exchange


41

Activity 9-7: Moving a Certificate

• The purpose of this activity is to move a user certificate from one computer to another


42

Smart Card Authentication

• Smart cards are the strongest form of authentication supported by Windows Server 2003

• Users are required to have the device (the smart card) and enter a personal identification number (PIN)

• When smart cards are implemented, users are issued a physical card that contains a certificate

• The PIN decrypts the certificate stored on the card


43

Preparing the Certification Authority to Issue Smart Card

Certificates• Two types of certificates are required to implement

smart card authentication:• One type is placed on the smart card for authentication

• The second type is an enrollment agent certificate


44

Preparing a Smart Card Certificate Enrollment Station

• A smart card certificate enrollment station is a computer that is used to configure smart cards

• It must have a properly configured smart card reader• A smart card reader is a device that smart cards are

inserted into to read their contents


45

Configuring a Smart Card for User Logon

• An enrollment agent configures smart cards for users through the Certificate Services Web pages on a CA

• Select the following:• Template that will be used to create the certificate

• CA that will issue the certificate

• Cryptographic service provider of the smart card

• Enrollment agent certificate that will sign the request

• The user the certificate is for


46

Configuring a Smart Card for User Logon (continued)

• To create the smart card, click the Enroll button and place the smart card in the smart card reader • Enter the PIN to be used on the smart card

• If a certificate already exists on the smart card, you are prompted to overwrite it


47

Mapping the Smart Card Certificate to a User Account

• There are three ways to map certificates to user accounts:• One-to-one mapping

• Many-to-one mapping (subject)

• Many-to-one mapping (CA)


48

Attaching a Smart Card Reader to the Client Workstation

• Each computer using smart cards must have a smart card reader• Many computers have these available as an option

• Also commonly available as USB devices


49

Summary

• Encryption makes data unreadable• Decryption is the reverse of encryption• Cryptography can ensure or perform confidentiality,

integrity, nonrepudiation, and authentication• Types of encryption include:

• Symmetric

• Asymmetric

• Hash


50

Summary (continued)• Certificate Services is the Microsoft implementation

of a certification authority for PKI• Enterprise certification authorities integrate with

Active Directory• A stand-alone CA does not integrate with Active

Directory• The Certificate Request Wizard, the Certificate

Services Web pages, and autoenrollment can be used to issue certificates

• Smart cards are the most secure form of authentication

70-293 MCSE Guide to Planning a Microsoft Windows Server 2003 [1]...

Documents

Transcript of 70-293 MCSE Guide to Planning a Microsoft Windows Server 2003 [1]...