Server 2008 Certificate Services

8/6/2019 Server 2008 Certificate Services

http://slidepdf.com/reader/full/server-2008-certificate-services 1/9

Certificate Services

With all of the security threats occurring on the Internet, it¶s important to be able to trust the

resource you¶re connecting to and through which you¶re passing information. One way you

can enable others to trust you, is by installing Certificate Services on your server.

Certificate Services is included with Windows Server 2008 but not installed by default. Theservice is used to issue and manage certificates for a Public Key Infrastructure (PKI).Certificate Services allows a computer running Windows Server 2008 to receive requests for certificates from users and computers, verify the identity of a requestor, issue and revokecertificates, and publish a Certificate Revocation List (CRL).

Installing ADCS Active Directory Certificate Services

You can install and configure Certificate Services by running the Add Roles Wizard. By

selecting Active Directory Certificate Services (ADCS) from the Server Roles list, you allowWindows Server 2008 to act as a CA, or Certificate Authority. ADCS is used to create a

Certification Authority to issue and manage certificates for various applications.

In the Select Server Roles window go ahead and select Active Directory Certificate

Services by placing a checkmark next to it, then go ahead and click Next.



On the µSelect Role Services¶ page, make sure Certification Authority is selected

Notice that the Add Roles Wizard pops up a dialog box telling you that it will need to add a

number of web related services . Click Add Required Role Services to confirm that it¶s OK.



On the Specify Setup Type page, leave Enterprise selected. Click Next.

On the Specify CA Type page, click Subordinate CA, and then click Next.



On the Set up Private Key page, click Create a new private key , and then click Next

On the Configure Cryptography page, select a cryptographic service provider, key length,

and hash algorithm. Click Next



On the Configure CA Name page, create a unique name to identify the CA. Click Next

On the Set Validity Period page, specify the number of years or months that the CA

certificate will be valid. Click Next.



Following figure shows the certificates Management console



What is a PKI?

Whenever an organization uses technologies such as smart cards, IPsec, Secure SocketsLayer (SSL), digital signatures, Encrypting File System (EFS), or other technologies that relyupon using specific levels of encryption, the organization will need to create a public system

of encryption and identification.

A PKI, or Public Key Infrastructure is used to help ensure that all who are using a system arein fact authorized to access it. Using PKI will enable the use of digital certificates betweenauthenticated and trusted entities. A certificate is nothing more than an electronically -basedofficial document that helps the client viewing the certificate to check the authenticity of thehost with the certificate. The most common reason for using a system of certificates isSecure Sockets Layer (SSL), which verifies a user¶ s identity and securely transmits data.Certificates in a PKI are used to secure data and manage the identification credentials of

resources within and outside the organization.

A Certificate Authority (CA) is part of a Public Key Infrastructure (PKI) whic h is responsiblefor validating certificates, issuing certificates, and revoking certificates. At the bareminimum, an enterprise using Microsoft Active Directory Certificate Services (ADCS) must

have at least one CA that issues and revokes certificates. For redundancy, there is usuallymore than one CA deployed in an organization. Also, CAs can be either internal or externaland can exist at several different levels, acting as a root CA or an issuance -only CA. Thereare many different ways to deploy your CA, so it is wise to understand your needs before

you deploy.

Exam Questions

QuestionYouare an enterprise administrator for Certkiller. The corporate networkof the companyconsists of 10 servers that run Windows Server 2008 in an Active Directory do main and

several clientcomputers that run Windows Vista. Allthe servers were Remote Desktop (RDP)enabled with de fault security settings for server administration. Which ofthe following options would you choose to ensure the RDPconnections between Windows Server 2008 servers and Windows Vista client computersare as secure as possible?

A.Configure the firewall on each server to block port 3380.B.Set the security layer for each server tothe RDP security Layer and acquire u ser certificates fromthe internal certificate authorityC.Set the security layer for each server tothe RDP security Layer and configure the firewallon each serverto block port 3389.D.Acquire user certificates fromthe int ernal certificate authority and configure each server toallow connections only to RemoteDesktop client computers that use Network Level

Authentication.E.None of the above.

Answer D

Explanation:Toensure the RDP connections are as secure as possible, you need to first acquire user certificates fromthe internal certificate authority and then configure each server to allow



connections only to Remote Desktop cli ent computers that use Network Level Authentication.Inthe pre-W2008 Terminal Server, you usedto enter the name of the server and a connectionis initiated to itslogon screen. Then, at that logon screen you atte mpt to authenticate.Fromasecurity perspective,this isn't a good idea.Because by doing it in this manner, you're actuallygetting access to a serverpriortoauthentication - the access you're getting is right to asession on that server - and that is not considered a good security p ractice.NLA,or Network Level Authentication, reversesthe order in which aclient atte mpts toconnect.Thenew RDC 6.0 client asks you for your use rname and password before it takes you to

thelogon screen. If you 're attempting to connectto a pre -W2008 server, a failure in that initiallogon will fail back to the old way oflogging in. It shines when connecting to Windows Vistacomputers and W2008 serverswith NLA conf igured it prevents the failback authenticationfromever occurring, which prevents the bad guys fromgaining accessing y our server withouta successful authentication.

Server 2008 Certificate Services

Documents

Transcript of Server 2008 Certificate Services