Professional Documents
Culture Documents
Security Infrastructure Services: Lesson 9
Security Infrastructure Services: Lesson 9
Lesson 9
Skills Matrix
Technology Skill
Objective Domain
Objective #
Using Certificates
Plan infrastructure
services server roles
1.3
Securing Remote
Access
3.3
Remote Access
Windows Server 2008 provides
remote access capabilities, as part of
its Network Policy and Access
Services role, which enable users to
connect to the network using dial-up
or virtual private network (VPN)
connections.
Dial-Up Connections
To use dial-up connections, you must equip
your Windows Server 2008 computer with at
least one modem and telephone line.
For a single-user connection, as for an
administrator dialing in from home, a
standard off-the-shelf modem is suitable.
For multiple connections, there are modular
rack-mount modems available that enable
you to connect dozens of users at once, if
necessary.
In the real world, however, hardware and
telephone costs and the near-ubiquity of highspeed Internet connections have caused dialup remote connections to be almost entirely
VPN Protocols
The VPN protocols that Windows
Server 2008 supports are as follows:
Point-to-Point Tunneling Protocol
(PPTP)
Layer 2 Tunneling Protocol (L2TP)
Secure Socket Tunneling Protocol
(SSTP)
Unauthenticated Access
Windows Server 2008 also supports
unauthenticated access, in which the
systems use no authentication
protocol at all, and the client does
not have to supply a user name or
password.
Obviously, no authentication is the
weakest form of authentication
available, and should be used only
when there is some other security
mechanism in place or when the
administrator wants to allow anyone
Certificate Functions
Digital signature.
Encrypting File System (EFS).
Internet authentication.
IP Security (IPsec).
Secure email.
Smart card logon.
Software code signing.
Wireless network authentication.
Enterprise CA
Enterprise CAs are integrated into the
Windows Server 2008 Active Directory
environment.
They use certificate templates, publish
their certificates and CRLs to Active
Directory, and use the information in
Active Directory to approve or deny
certificate enrollment requests
automatically.
Because the clients of an enterprise CA
must have access to Active Directory to
receive certificates, enterprise CAs are not
Standalone CA
Standalone CAs do not use certificate
templates or Active Directory.
They store their information locally. In
addition, by default, standalone CAs do
not automatically respond to certificate
enrollment requests, as is the case with
enterprise CAs.
Requests wait in a queue for an
administrator to manually approve or deny
them.
Standalone CAs are intended for situations
in which users outside the enterprise
submit requests for certificates.
Certificate Revocation
A certificate has a specified lifetime, but CAs can
reduce this lifetime by a process known as
certificate revocation.
Every CA publishes a certificate revocation list
(CRL) that lists the serial numbers of certificates
that it considers to be no longer valid.
The specified lifetime of CRLs is typically much
shorter than that of a certificate.
The CA might also include in the CRL a code
specifying the reason the certificate has been
revoked. A revocation might occur because a
private key has been compromised, because a
certificate has been superseded, or because an
employee has left the company.
The CRL also includes the date the certificate was
Enterprise Subordinate CA
The only difference in the installation
procedure for an enterprise
subordinate CA is the inclusion of a
Request Certificate from a Parent CA
page in the Add Roles Wizard in place
of the Set Validity Period page.
CA Hierarchy
While even a single CA constitutes a PKI, it is
common for organizations to use multiple CAs,
arranged in a hierarchy, much like Active
Directory forests.
In a hierarchical CA structure, there is a single
root CA at the top, and one or more subordinate
CAs beneath it.
The root CA provides certificates to the
subordinate CAs, which in turn can generate
certificates for additional subordinate CAs or for
end users.
In an Active Directory hierarchy, domains in the
same tree automatically trust each other. In a
CA hierarchy, trust chaining enables clients
that trust the root CA to also trust certificates
Simple CA Hierarchy
CA Hierarchy
Some larger organizations may have two
distinct types of subordinate CAs, as
follows:
Intermediate CAs Intermediate CAs do
not issue certificates to end users or
computers; they issue certificates only to
other subordinate CAs below them in the
certification hierarchy. Intermediate CAs
are not required, but using them enables
you to take your root CA offline, which
greatly increases its security.
Issuing Cas Issuing CAs provide
certificates to end users and computers.
Root and intermediate CAs are capable of
CA Hierarchy
Certificate Templates
Enterprise CAs might have to issue
thousands of certificates to users and
computers.
If administrators had to provide the
configuration settings for each certificate
manually, they could easily spend all of
their time issuing certificates and would
probably make a large number of mistakes
in the process.
Fortunately, administrators can use
certificate templates to simplify the
process of creating certificates and ensure
Certificate Templates
Sets of rules and settings that define
the format and content of a
certificate based on the certificates
intended use.
Provide the client with instructions on
how to create and submit a valid
certificate request.
Define which security principals are
allowed to read, enroll for, or
autoenroll for certificates based on
Certificate Templates
Windows Server 2008 includes a large collection
of predefined certificate templates, supporting a
variety of functions and applications.
You can also customize each template for a
specific use or create your own templates to suit
the needs of your organization.
Only enterprise CAs can issue certificates based
on certificate templates; standalone CAs cannot.
When an administrator defines a certificate
template, the definition must be available to all
CAs in the forest.
To make the definition available, administrators
publish the template in Active Directory and let
the Active Directory replication engine propagate
the template throughout the enterprise.
Autoenrollment
Applications automatically issue a
certificate enrollment request and
send it to the CA.
The CA then evaluates the request
and issues or denies a certificate.
When everything works properly, the
entire process is invisible to the end
user.
Web Enrollment
When you install Active Directory
Certificate Services with the
Certification Authority Web
Enrollment role service, the setup
wizard creates a Web site that clients
can use to request certificates from
the CA.
Although standalone CAs are more
likely to use Web enrollment,
enterprise CAs support it as well.
Certificates Snap-In
The Certificates snap-in for MMC
enables users to manually request
certificates, as well as view the
certificates they already possess.
Revoking Certificates
Administrators might occasionally
need to revoke a certificate because
a user has left the organization,
because they have decommissioned
a computer, or because a private key
has been compromised.
There are two ways to revoke
certificates:
By using the Certification Authority
snap-in.
Summary
Windows Server 2008 provides
remote access capabilities as part of
its Network Policy and Access
Services role, which enable users to
connect to the network using dial-up
or virtual private network (VPN)
connections.
A dial-up connection is a dedicated
link between the two modems that
remains in place during the entire
session.
Summary
The Remote Access client and the
server establish a Point-to-Point
Protocol (PPP) connection, during
which the server authenticates the
client and the computers negotiate a
set of communication parameters
they have in common.
Summary
In a virtual private network (VPN)
connection, the remote client and the
remote access server are both
connected to the Internet, using local
service providers.
The client establishes a connection
to the server using the Internet as a
network medium and, after
authentication, the server grants the
client access to the network.
Summary
In the tunneling process, the two
computers establish a PPP
connection just as they would in a
dial-up connection, but instead of
transmitting the PPP packets over
the Internet as they are, they
encapsulate the packets again by
using one of the three VPN protocols
supported by Windows Server 2008.
Summary
Remote Access in Windows Server
2008 uses an authentication system
that is entirely separate from the
Kerberos authentication system that
clients on the local network use.
Summary
A digital certificate is a digitally
signed document issued by a third
party, called a certification authority
(CA), that binds a user, computer, or
service holding a private key with its
corresponding public key.
Summary
When both parties involved in a
transaction trust the CA to properly
authenticate users before handing
out certificates and believe that the
CA protects the privacy of its
certificates and keys, then they can
both trust in the identity of the
certificate holder.
Windows Server 2008 supports two
basic types of CAs: enterprise CAs
and standalone CAs.
Summary
You can configure each enterprise or
standalone CA to function as either a
root CA or a subordinate CA.
The first CA you install in your
organization must always be a root
CA. A root CA is the parent that
issues certificates to the subordinate
CAs beneath it.
If a client trusts the root CA, it must
also trust all the subordinate CAs
that have been issued certificates by
Summary
While a CA hierarchy can have just
two levels, larger organizations might
have three or more levels.
When this is the case, there are two
distinct types of subordinate CAs:
intermediate CAs and issuing CAs.
Summary
Certificate enrollment is the process
by which a client requests a
certificate and a CA generates one.
Active Directory Certificate Services
supports several certificate
enrollment methods.
A clients choice of enrollment
method for obtaining certificates is
typically dictated by the type of CA
the client is requesting the certificate
from and whether the client and CA
Summary
Applications discover that a
certificate has been revoked by
retrieving the certificate revocation
list (CRL) from the CA.
There are two kinds of CRLs: full
CRLs, which contain a complete list
of all of a CAs revoked certificates,
and delta CRLs.
Delta CRLs are shorter lists of
certificates that have been revoked
since the last full CRL was published.