70293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning

1
70-293 MCSE Guide to Planning a Microsoft
Windows Server 2003 Network, Enhanced Chapter
9 Planning and Managing Certificate Services
2
Objectives

• Describe the types of cryptography
• Understand how cryptography is used for
  encryption and digital signatures
• Understand the components of Certificate Services
• Install and manage Certificate Services
• Manage certificates
• Implement smart card authentication

3
Cryptography

• Cryptography encrypting/decrypting data to
  ensure they are read only by the intended
  recipient
• Encrypted messages are unreadable
• Decryption
• Reverse of encryption
• Makes the data readable again

4
Cryptography (continued)

• Four objectives of cryptography
• Confidentiality
• Integrity
• Nonrepudiation
• Authentication

5
Cryptography (continued)

• Cryptography uses keys
• A large number (a series of numbers, letters, and
  symbols)
• Large and difficult to guess
• Used with an algorithm to encrypt and decrypt
  data
• Three types of encryption
• Symmetric
• Asymmetric
• Hash

6
Symmetric Encryption

• Uses a single key
• A computer can symmetrically encrypt large
  amounts of data quickly
• Used when encrypting files and large amounts of
  data across network transmissions

7
Asymmetric Encryption

• Uses two keys public key and private key
• Anything encrypted by the public key can be
  decrypted with the private key and vice versa

8
Hash Encryption

• Hash encryption is unique because it is one-way
• Hash algorithm uses a single key to convert data
  to a hash value
• The hash value is a summary of the data
• The purpose of a hash value is to be a unique
  identifier, not to secure data

9
Uses for Cryptography

• Three common tasks that use different types of
  encryption are
• Encrypting e-mail
• Ensuring data integrity with digital signatures
• Securing data communication with Secure Sockets
  Layer (SSL)

10
Encrypting E-mail

• Encrypting e-mail ensures that a message in
  transit cannot be read by unauthorized people
• Uses the public and private keys of the
  recipient
• Sender creates an e-mail message
• E-mail software encrypts using the recipients
  public key
• Recipients public key may be published in a
  directory or given to the sender via e-mail
  before encryption
• Encrypted message is then sent to the recipient
• Recipients e-mail software decrypts the message
  using the recipients private key

11
Encrypting E-mail (continued)
12
Digital Signatures

• A digital signature is a hash value that is
  encrypted and attached to a message
• Ensures that a message has not been modified in
  transit and that it truly came from the named
  sender
• This is important when electronically delivering
  information such as contracts and agreements
• The public and private keys of the sender are
  used for a digital signature

13
Digital Signatures (continued)
14
Secure Sockets Layer

• Secure Sockets Layer (SSL) is a Transport Layer
  protocol that can be used with any application
  protocol that is designed to communicate with it
• SSL secures communication between Web servers and
  Web browsers, e-mail clients and e-mail servers,
  and other service combinations
• Servers are the only participants in SSL that
  must be configured with a public key and a
  private key

15
Secure Sockets Layer (continued)
16
Certificate Services Components

• Certificate Services is the Microsoft
  implementation of PKI (Public Key Infrastructure)
• PKI creates and manages public keys, private
  keys, and certificates
• PKI using Certificate Services is composed of
• Certificates
• Certification authority (also known as
  certificate authority)
• A Certificate Revocation List (CRL)
• Certificate-enabled applications

17
Certificates

• A certificate contains information about a user
  or computer and a public key
• A certificate defined by the X.509 standard has
  fields
• Subject (or user name)
• Serial number
• Validity period
• Public key
• Issuer name
• Issuer signature

18
Certification Authority

• A certification authority (CA) is a server that
  issues certificates to client computers,
  applications, or users
• The CA is responsible for taking
  certificate-signing requests from clients and
  approving them
• As part of the approval process, the identity of
  the requester is verified

19
Activity 9-1 Viewing Trusted Root Certification
Authorities

• The purpose of this activity is to view the
  trusted root certification authorities installed
  by default on Windows Server 2003

20
Certificate Revocation List

• The certification authority maintains a
  Certificate Revocation List (CRL), which is a
  list of certificates issued by the CA that are no
  longer valid
• The administrator adds certificates to this list
• It is not created automatically
• Each certificate issued by the CA has an
  expiration date

21
Certificate-enabled Applications

• Windows client computers can store certificates
  in a place that can be used by multiple
  applications
• Many certificate-enabled applications running on
  Windows use this central windows store, but other
  applications store certificates in a private
  database
• Common applications for certificates include
• e-mail clients
• Web browsers
• smart cards

22
Installing and Managing Certificate Services

• Two classes of CAs
• Enterprise
• Stand-alone
• An enterprise CA
• Integrates with Active Directory
• Has an expanded feature set
• Can use certificate templates
• Certificate creation process is entirely automated

23
Installing and Managing Certificate Services
(continued)

• A stand-alone certification
• Does not integrate with Active Directory
• Unable to issue certificates automatically based
  on a user object in Active Directory
• All certificate requests must be manually
  approved by an administrator
• Certificate templates cannot be used by a
  stand-alone certification authority
• Cannot issue certificates used for smart card
  authentication

24
Certificate Hierarchy

• Chain of trust where client computers and
  applications are assured that a certificate is
  valid
• The hierarchy is either a root certification
  authority or a subordinate certification
  authority
• A subordinate certification authority is
  certified by another certification authority
• After certification, subordinate can issue
  certificates based on the trusted status of the
  certification authority that certified it

25
Certificate Hierarchy (continued)
26
Installing Certificate Services

• When installing a CA you must choose which type
• Enterprise root CA
• Standalone root CA
• Enterprise subordinate CA
• Stand-alone subordinate CA.
• Can configure custom settings for the key pair
  and CA certificate

27
Activity 9-2 Installing Certificate Services

• The purpose of this activity is to install
  Certificate Services and configure your server as
  an enterprise root certification authority

28
Back Up and Restore Certificate Services

• Certificate Services is normally backed up as
  part of the daily backup process on Windows
  Server 2003
• Certificate Services is included with the backup
  of system state data
• Can back up and restore manually just Certificate
  Services using the CA snap-in

29
Activity 9-3 Backing Up Certificate Services

• The purpose of this activity is to perform a
  manual backup of Certificate Services

30
Activity 9-4 Restoring the Certificate Services
Database

• The purpose of this activity is to perform a
  manual restore of Certificate Services

31
Managing Certificates

• Tasks related to issuing and managing
  certificates are
• Issuing certificates
• Renewing certificates
• Revoking certificates
• Publishing a Certificate Revocation List
• Importing and exporting certificates
• Mapping accounts to certificates
• A command-line utility, CERTUTIL, can be used to
  manage both certificates and Certificate Services

32
Issuing Certificates

• Certificates can be requested using
• Certificate Request Wizard
• Certificate Services Web pages
• Autoenrollment
• The Certificate Request Wizard and autoenrollment
  are available only for enterprise certification
  authorities
• Certificate Services Web pages can be used by
  both stand-alone and enterprise certificate
  authorities

33
The Certificate Request Wizard

• The Certificate Request Wizard is run by users to
  create certificates
• The types of certificates that can be created are
  controlled by certificate templates
• The administrator can create, configure, and
  control access to these templates
• Users can create certificates based on the
  templates to which they have either read or
  enroll permissions

34
Activity 9-5 Requesting a Certificate

• The purpose of this activity is to request a user
  certificate using the Certificate Request Wizard

35
Certificate Services Web Pages

• The Certificate Services Web pages can be used to
  request certificates from both enterprise
  certification authorities and stand-alone
  certification authorities
• IIS is required for the Certificate Services Web
  pages

36
Autoenrollment

• Autoenrollment issues certificates automatically
• To enable autoenrollment
• Duplicate an existing certificate using
  Certificate Templates snap-in
• Select Publish certificate in Active Directory
• On the Security tab, add the required users or
  groups, and assign them the enroll and autoenroll
  permissions
• Enable the new certificate template in the CA
  snap-in
• Configure a group policy to enable Enroll
  certificates automatically

37
Renewing Certificates

• All certificates are issued with an expiration
  date
• If a certificate becomes compromised, it is not a
  security risk for an extended period of time
• If an employee unexpectedly leaves, employee
  wont have access to company resources after
  expiration
• To avoid an interruption in service, a user must
  renew a certificate before it expires

38
Revoking Certificates

• When a certificate has been compromised or a user
  has left the company, you need to revoke it
• This places the certificate on the CRL of the
  certification authority
• Windows 2000 and newer clients automatically
  download the CRL for Active Directory
• A CRL has a default lifetime of seven days

39
Activity 9-6 Revoking a Certificate

• The purpose of this activity is to revoke a
  certificate and publish a new CRL

40
Importing and Exporting Certificates

• If you want to move or copy certificates from one
  computer to another, you can choose from these
  standard formats
• DER encoded binary X.509
• Base-64 encoded X.509
• Cryptographic Message Standard
• Personal Information Exchange

41
Activity 9-7 Moving a Certificate

• The purpose of this activity is to move a user
  certificate from one computer to another

42
Smart Card Authentication

• Smart cards are the strongest form of
  authentication supported by Windows Server 2003
• Users are required to have the device (the smart
  card) and enter a personal identification number
  (PIN)
• When smart cards are implemented, users are
  issued a physical card that contains a
  certificate
• The PIN decrypts the certificate stored on the
  card

43
Preparing the Certification Authority to Issue
Smart Card Certificates

• Two types of certificates are required to
  implement smart card authentication
• One type is placed on the smart card for
  authentication
• The second type is an enrollment agent certificate

44
Preparing a Smart Card Certificate Enrollment
Station

• A smart card certificate enrollment station is a
  computer that is used to configure smart cards
• It must have a properly configured smart card
  reader
• A smart card reader is a device that smart cards
  are inserted into to read their contents

45
Configuring a Smart Card for User Logon

• An enrollment agent configures smart cards for
  users through the Certificate Services Web pages
  on a CA
• Select the following
• Template that will be used to create the
  certificate
• CA that will issue the certificate
• Cryptographic service provider of the smart card
• Enrollment agent certificate that will sign the
  request
• The user the certificate is for

46
Configuring a Smart Card for User Logon
(continued)

• To create the smart card, click the Enroll button
  and place the smart card in the smart card reader
  
• Enter the PIN to be used on the smart card
• If a certificate already exists on the smart
  card, you are prompted to overwrite it

47
Mapping the Smart Card Certificate to a User
Account

• There are three ways to map certificates to user
  accounts
• One-to-one mapping
• Many-to-one mapping (subject)
• Many-to-one mapping (CA)

48
Attaching a Smart Card Reader to the Client
Workstation

• Each computer using smart cards must have a smart
  card reader
• Many computers have these available as an option
• Also commonly available as USB devices

49
Summary

• Encryption makes data unreadable
• Decryption is the reverse of encryption
• Cryptography can ensure or perform
  confidentiality, integrity, nonrepudiation, and
  authentication
• Types of encryption include
• Symmetric
• Asymmetric
• Hash

50
Summary (continued)

• Certificate Services is the Microsoft
  implementation of a certification authority for
  PKI
• Enterprise certification authorities integrate
  with Active Directory
• A stand-alone CA does not integrate with Active
  Directory
• The Certificate Request Wizard, the Certificate
  Services Web pages, and autoenrollment can be
  used to issue certificates
• Smart cards are the most secure form of
  authentication