Title: 70293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning
170-293 MCSE Guide to Planning a Microsoft
Windows Server 2003 Network, Enhanced Chapter
9 Planning and Managing Certificate Services
2Objectives
- Describe the types of cryptography
- Understand how cryptography is used for
encryption and digital signatures - Understand the components of Certificate Services
- Install and manage Certificate Services
- Manage certificates
- Implement smart card authentication
3Cryptography
- Cryptography encrypting/decrypting data to
ensure they are read only by the intended
recipient - Encrypted messages are unreadable
- Decryption
- Reverse of encryption
- Makes the data readable again
4Cryptography (continued)
- Four objectives of cryptography
- Confidentiality
- Integrity
- Nonrepudiation
- Authentication
5Cryptography (continued)
- Cryptography uses keys
- A large number (a series of numbers, letters, and
symbols) - Large and difficult to guess
- Used with an algorithm to encrypt and decrypt
data - Three types of encryption
- Symmetric
- Asymmetric
- Hash
6Symmetric Encryption
- Uses a single key
- A computer can symmetrically encrypt large
amounts of data quickly - Used when encrypting files and large amounts of
data across network transmissions
7Asymmetric Encryption
- Uses two keys public key and private key
- Anything encrypted by the public key can be
decrypted with the private key and vice versa
8Hash Encryption
- Hash encryption is unique because it is one-way
- Hash algorithm uses a single key to convert data
to a hash value - The hash value is a summary of the data
- The purpose of a hash value is to be a unique
identifier, not to secure data
9Uses for Cryptography
- Three common tasks that use different types of
encryption are - Encrypting e-mail
- Ensuring data integrity with digital signatures
- Securing data communication with Secure Sockets
Layer (SSL)
10Encrypting E-mail
- Encrypting e-mail ensures that a message in
transit cannot be read by unauthorized people - Uses the public and private keys of the
recipient - Sender creates an e-mail message
- E-mail software encrypts using the recipients
public key - Recipients public key may be published in a
directory or given to the sender via e-mail
before encryption - Encrypted message is then sent to the recipient
- Recipients e-mail software decrypts the message
using the recipients private key
11Encrypting E-mail (continued)
12Digital Signatures
- A digital signature is a hash value that is
encrypted and attached to a message - Ensures that a message has not been modified in
transit and that it truly came from the named
sender - This is important when electronically delivering
information such as contracts and agreements - The public and private keys of the sender are
used for a digital signature
13Digital Signatures (continued)
14Secure Sockets Layer
- Secure Sockets Layer (SSL) is a Transport Layer
protocol that can be used with any application
protocol that is designed to communicate with it - SSL secures communication between Web servers and
Web browsers, e-mail clients and e-mail servers,
and other service combinations - Servers are the only participants in SSL that
must be configured with a public key and a
private key
15Secure Sockets Layer (continued)
16Certificate Services Components
- Certificate Services is the Microsoft
implementation of PKI (Public Key Infrastructure) - PKI creates and manages public keys, private
keys, and certificates - PKI using Certificate Services is composed of
- Certificates
- Certification authority (also known as
certificate authority) - A Certificate Revocation List (CRL)
- Certificate-enabled applications
17Certificates
- A certificate contains information about a user
or computer and a public key - A certificate defined by the X.509 standard has
fields - Subject (or user name)
- Serial number
- Validity period
- Public key
- Issuer name
- Issuer signature
18Certification Authority
- A certification authority (CA) is a server that
issues certificates to client computers,
applications, or users - The CA is responsible for taking
certificate-signing requests from clients and
approving them - As part of the approval process, the identity of
the requester is verified
19Activity 9-1 Viewing Trusted Root Certification
Authorities
- The purpose of this activity is to view the
trusted root certification authorities installed
by default on Windows Server 2003
20Certificate Revocation List
- The certification authority maintains a
Certificate Revocation List (CRL), which is a
list of certificates issued by the CA that are no
longer valid - The administrator adds certificates to this list
- It is not created automatically
- Each certificate issued by the CA has an
expiration date
21Certificate-enabled Applications
- Windows client computers can store certificates
in a place that can be used by multiple
applications - Many certificate-enabled applications running on
Windows use this central windows store, but other
applications store certificates in a private
database - Common applications for certificates include
- e-mail clients
- Web browsers
- smart cards
22Installing and Managing Certificate Services
- Two classes of CAs
- Enterprise
- Stand-alone
- An enterprise CA
- Integrates with Active Directory
- Has an expanded feature set
- Can use certificate templates
- Certificate creation process is entirely automated
23Installing and Managing Certificate Services
(continued)
- A stand-alone certification
- Does not integrate with Active Directory
- Unable to issue certificates automatically based
on a user object in Active Directory - All certificate requests must be manually
approved by an administrator - Certificate templates cannot be used by a
stand-alone certification authority - Cannot issue certificates used for smart card
authentication
24Certificate Hierarchy
- Chain of trust where client computers and
applications are assured that a certificate is
valid - The hierarchy is either a root certification
authority or a subordinate certification
authority - A subordinate certification authority is
certified by another certification authority - After certification, subordinate can issue
certificates based on the trusted status of the
certification authority that certified it
25Certificate Hierarchy (continued)
26Installing Certificate Services
- When installing a CA you must choose which type
- Enterprise root CA
- Standalone root CA
- Enterprise subordinate CA
- Stand-alone subordinate CA.
- Can configure custom settings for the key pair
and CA certificate
27Activity 9-2 Installing Certificate Services
- The purpose of this activity is to install
Certificate Services and configure your server as
an enterprise root certification authority
28Back Up and Restore Certificate Services
- Certificate Services is normally backed up as
part of the daily backup process on Windows
Server 2003 - Certificate Services is included with the backup
of system state data - Can back up and restore manually just Certificate
Services using the CA snap-in
29Activity 9-3 Backing Up Certificate Services
- The purpose of this activity is to perform a
manual backup of Certificate Services
30Activity 9-4 Restoring the Certificate Services
Database
- The purpose of this activity is to perform a
manual restore of Certificate Services
31Managing Certificates
- Tasks related to issuing and managing
certificates are - Issuing certificates
- Renewing certificates
- Revoking certificates
- Publishing a Certificate Revocation List
- Importing and exporting certificates
- Mapping accounts to certificates
- A command-line utility, CERTUTIL, can be used to
manage both certificates and Certificate Services
32Issuing Certificates
- Certificates can be requested using
- Certificate Request Wizard
- Certificate Services Web pages
- Autoenrollment
- The Certificate Request Wizard and autoenrollment
are available only for enterprise certification
authorities - Certificate Services Web pages can be used by
both stand-alone and enterprise certificate
authorities
33The Certificate Request Wizard
- The Certificate Request Wizard is run by users to
create certificates - The types of certificates that can be created are
controlled by certificate templates - The administrator can create, configure, and
control access to these templates - Users can create certificates based on the
templates to which they have either read or
enroll permissions
34Activity 9-5 Requesting a Certificate
- The purpose of this activity is to request a user
certificate using the Certificate Request Wizard
35Certificate Services Web Pages
- The Certificate Services Web pages can be used to
request certificates from both enterprise
certification authorities and stand-alone
certification authorities - IIS is required for the Certificate Services Web
pages
36Autoenrollment
- Autoenrollment issues certificates automatically
- To enable autoenrollment
- Duplicate an existing certificate using
Certificate Templates snap-in - Select Publish certificate in Active Directory
- On the Security tab, add the required users or
groups, and assign them the enroll and autoenroll
permissions - Enable the new certificate template in the CA
snap-in - Configure a group policy to enable Enroll
certificates automatically
37Renewing Certificates
- All certificates are issued with an expiration
date - If a certificate becomes compromised, it is not a
security risk for an extended period of time - If an employee unexpectedly leaves, employee
wont have access to company resources after
expiration - To avoid an interruption in service, a user must
renew a certificate before it expires
38Revoking Certificates
- When a certificate has been compromised or a user
has left the company, you need to revoke it - This places the certificate on the CRL of the
certification authority - Windows 2000 and newer clients automatically
download the CRL for Active Directory - A CRL has a default lifetime of seven days
39Activity 9-6 Revoking a Certificate
- The purpose of this activity is to revoke a
certificate and publish a new CRL
40Importing and Exporting Certificates
- If you want to move or copy certificates from one
computer to another, you can choose from these
standard formats - DER encoded binary X.509
- Base-64 encoded X.509
- Cryptographic Message Standard
- Personal Information Exchange
41Activity 9-7 Moving a Certificate
- The purpose of this activity is to move a user
certificate from one computer to another
42Smart Card Authentication
- Smart cards are the strongest form of
authentication supported by Windows Server 2003 - Users are required to have the device (the smart
card) and enter a personal identification number
(PIN) - When smart cards are implemented, users are
issued a physical card that contains a
certificate - The PIN decrypts the certificate stored on the
card
43Preparing the Certification Authority to Issue
Smart Card Certificates
- Two types of certificates are required to
implement smart card authentication - One type is placed on the smart card for
authentication - The second type is an enrollment agent certificate
44Preparing a Smart Card Certificate Enrollment
Station
- A smart card certificate enrollment station is a
computer that is used to configure smart cards - It must have a properly configured smart card
reader - A smart card reader is a device that smart cards
are inserted into to read their contents
45Configuring a Smart Card for User Logon
- An enrollment agent configures smart cards for
users through the Certificate Services Web pages
on a CA - Select the following
- Template that will be used to create the
certificate - CA that will issue the certificate
- Cryptographic service provider of the smart card
- Enrollment agent certificate that will sign the
request - The user the certificate is for
46Configuring a Smart Card for User Logon
(continued)
- To create the smart card, click the Enroll button
and place the smart card in the smart card reader
- Enter the PIN to be used on the smart card
- If a certificate already exists on the smart
card, you are prompted to overwrite it
47Mapping the Smart Card Certificate to a User
Account
- There are three ways to map certificates to user
accounts - One-to-one mapping
- Many-to-one mapping (subject)
- Many-to-one mapping (CA)
48Attaching a Smart Card Reader to the Client
Workstation
- Each computer using smart cards must have a smart
card reader - Many computers have these available as an option
- Also commonly available as USB devices
49Summary
- Encryption makes data unreadable
- Decryption is the reverse of encryption
- Cryptography can ensure or perform
confidentiality, integrity, nonrepudiation, and
authentication - Types of encryption include
- Symmetric
- Asymmetric
- Hash
50Summary (continued)
- Certificate Services is the Microsoft
implementation of a certification authority for
PKI - Enterprise certification authorities integrate
with Active Directory - A stand-alone CA does not integrate with Active
Directory - The Certificate Request Wizard, the Certificate
Services Web pages, and autoenrollment can be
used to issue certificates - Smart cards are the most secure form of
authentication