Server 2008 Certificate Services
Transcript of Server 2008 Certificate Services
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 1/9
Certificate Services
With all of the security threats occurring on the Internet, it¶s important to be able to trust the
resource you¶re connecting to and through which you¶re passing information. One way you
can enable others to trust you, is by installing Certificate Services on your server.
Certificate Services is included with Windows Server 2008 but not installed by default. Theservice is used to issue and manage certificates for a Public Key Infrastructure (PKI).Certificate Services allows a computer running Windows Server 2008 to receive requests for certificates from users and computers, verify the identity of a requestor, issue and revokecertificates, and publish a Certificate Revocation List (CRL).
Installing ADCS Active Directory Certificate Services
You can install and configure Certificate Services by running the Add Roles Wizard. By
selecting Active Directory Certificate Services (ADCS) from the Server Roles list, you allowWindows Server 2008 to act as a CA, or Certificate Authority. ADCS is used to create a
Certification Authority to issue and manage certificates for various applications.
In the Select Server Roles window go ahead and select Active Directory Certificate
Services by placing a checkmark next to it, then go ahead and click Next.
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 2/9
On the µSelect Role Services¶ page, make sure Certification Authority is selected
Notice that the Add Roles Wizard pops up a dialog box telling you that it will need to add a
number of web related services . Click Add Required Role Services to confirm that it¶s OK.
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 3/9
On the Specify Setup Type page, leave Enterprise selected. Click Next.
On the Specify CA Type page, click Subordinate CA, and then click Next.
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 4/9
On the Set up Private Key page, click Create a new private key , and then click Next
On the Configure Cryptography page, select a cryptographic service provider, key length,
and hash algorithm. Click Next
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 5/9
On the Configure CA Name page, create a unique name to identify the CA. Click Next
On the Set Validity Period page, specify the number of years or months that the CA
certificate will be valid. Click Next.
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 6/9
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 7/9
Following figure shows the certificates Management console
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 8/9
What is a PKI?
Whenever an organization uses technologies such as smart cards, IPsec, Secure SocketsLayer (SSL), digital signatures, Encrypting File System (EFS), or other technologies that relyupon using specific levels of encryption, the organization will need to create a public system
of encryption and identification.
A PKI, or Public Key Infrastructure is used to help ensure that all who are using a system arein fact authorized to access it. Using PKI will enable the use of digital certificates betweenauthenticated and trusted entities. A certificate is nothing more than an electronically -basedofficial document that helps the client viewing the certificate to check the authenticity of thehost with the certificate. The most common reason for using a system of certificates isSecure Sockets Layer (SSL), which verifies a user¶ s identity and securely transmits data.Certificates in a PKI are used to secure data and manage the identification credentials of
resources within and outside the organization.
A Certificate Authority (CA) is part of a Public Key Infrastructure (PKI) whic h is responsiblefor validating certificates, issuing certificates, and revoking certificates. At the bareminimum, an enterprise using Microsoft Active Directory Certificate Services (ADCS) must
have at least one CA that issues and revokes certificates. For redundancy, there is usuallymore than one CA deployed in an organization. Also, CAs can be either internal or externaland can exist at several different levels, acting as a root CA or an issuance -only CA. Thereare many different ways to deploy your CA, so it is wise to understand your needs before
you deploy.
Exam Questions
QuestionYouare an enterprise administrator for Certkiller. The corporate networkof the companyconsists of 10 servers that run Windows Server 2008 in an Active Directory do main and
several clientcomputers that run Windows Vista. Allthe servers were Remote Desktop (RDP)enabled with de fault security settings for server administration. Which ofthe following options would you choose to ensure the RDPconnections between Windows Server 2008 servers and Windows Vista client computersare as secure as possible?
A.Configure the firewall on each server to block port 3380.B.Set the security layer for each server tothe RDP security Layer and acquire u ser certificates fromthe internal certificate authorityC.Set the security layer for each server tothe RDP security Layer and configure the firewallon each serverto block port 3389.D.Acquire user certificates fromthe int ernal certificate authority and configure each server toallow connections only to RemoteDesktop client computers that use Network Level
Authentication.E.None of the above.
Answer D
Explanation:Toensure the RDP connections are as secure as possible, you need to first acquire user certificates fromthe internal certificate authority and then configure each server to allow
8/6/2019 Server 2008 Certificate Services
http://slidepdf.com/reader/full/server-2008-certificate-services 9/9
connections only to Remote Desktop cli ent computers that use Network Level Authentication.Inthe pre-W2008 Terminal Server, you usedto enter the name of the server and a connectionis initiated to itslogon screen. Then, at that logon screen you atte mpt to authenticate.Fromasecurity perspective,this isn't a good idea.Because by doing it in this manner, you're actuallygetting access to a serverpriortoauthentication - the access you're getting is right to asession on that server - and that is not considered a good security p ractice.NLA,or Network Level Authentication, reversesthe order in which aclient atte mpts toconnect.Thenew RDC 6.0 client asks you for your use rname and password before it takes you to
thelogon screen. If you 're attempting to connectto a pre -W2008 server, a failure in that initiallogon will fail back to the old way oflogging in. It shines when connecting to Windows Vistacomputers and W2008 serverswith NLA conf igured it prevents the failback authenticationfromever occurring, which prevents the bad guys fromgaining accessing y our server withouta successful authentication.