Maintaining Network Health Lesson 10

Skills Matrix Understanding the Components of NAP Technology Skill Objective Domain Objective # Understanding the Components of NAP Configure Network Access Protection (NAP) 3.2

Public Key Infrastructure Public key infrastructure (PKI) consists of a number of elements that allow two parties to communicate securely, without any previous communication, through the use of a mathematical algorithm called public key cryptography. Public key cryptography, as the name implies, stores a piece of information called a public key for each user, computer, and so on that is participating in a PKI.

Public Key Infrastructure Each user, computer, and so on also possesses a private key, a piece of information that is known only to the individual user or computer. By combining the well-known and easily obtainable public key with the hidden and well-secured private key, one entity (you, for example) can communicate with another entity (a secured Web site, for example) in a secure fashion without exchanging any sort of shared secret key beforehand. A shared secret key is a secret piece of information that is shared between two parties prior to being able to communicate securely.

Certificate Authority (CA) A Certificate Authority (CA) is an entity, such as a Windows Server 2008 server running the AD CS server role, that issues and manages digital certificates for use in a PKI. CAs are hierarchical, which means that many subordinate CAs within an organization can chain upwards to a single root CA that is authoritative for all Certificate Services within a given network. Many organizations use a three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers.

Sometimes just called a certificate. Digital Certificate Sometimes just called a certificate. This digital document contains identifying information about a particular user, computer, service, and so on. The digital certificate contains the certificate holder’s name and public key, the digital signature of the Certificate Authority that issued the certificate, as well as the certificate’s expiration date. Emphasize the public/private key concept and when the public key is accessed by a user to read a message. Then emphasize that the digital certificate that can be retrieved from a CA holds the public key.

Digital Signature This electronic signature (created by a mathematical equation) proves the identity of the entity that has signed a particular document. Like a personal signature on a paper document, when an entity signs a document electronically it certifies that the document originated from the person or entity in question. In cases where a digital signature is used to sign something like an email message, a digital signature also indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox. Signatures prove who they come from.

Certificate Practice Statement and Certificate Revocation List Certificate Practice Statement (CPS) Provides a detailed explanation of how a particular CA manages certificates and keys. Certificate Revocation List (CRL) This list identifies certificates that have been revoked or terminated, as well as the corresponding user, computer, or service. Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date.

Certificate Templates Templates used by a CA to simplify the administration and issuance of digital certificates. This is similar to how templates can be used in other applications, such as office productivity suites, or when creating objects within Active Directory.

Self-Enrollment and Enrollment Agents As the name suggests, this feature enables users to request their own PKI certificates, typically through a Web browser. Enrollment agents These are used to request certificates on behalf of a user, computer, or service if self-enrollment is not practical or is otherwise an undesirable solution for reasons of security, auditing, and so on. An enrollment agent typically consists of a dedicated workstation that is used to install certificates onto smart cards, thus preconfiguring a smart card for each person’s use.

Autoenrollment This PKI feature supported by Windows Server 2003 and later allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory. Because this feature is only supported in Windows Server 2003 or later, certificate templates that are based on Windows 2000 will not allow autoenrollment to maintain backwards compatibility.

Recovery Agent These agents are configured within a CA to allow one or more users (typically administrators) to recover private keys for users, computers, or services if their keys are lost. For example, if a user’s hard drive crashes and the user has not backed up the private key, any information that the user has encrypted using the certificate will be inaccessible until a recovery agent retrieves the user’s private key.

Key Archival This is the process by which private keys are maintained by the CA for retrieval by a recovery agent, if at all. Most commercial CAs do not allow key archival; if a customer loses a private key and has not taken a backup, the user needs to purchase a new certificate. In a Windows PKI implementation, users’ private keys can be stored within Active Directory to simplify and automate both the enrollment and retrieval processes.

Windows Server 2008 and Certificate Services Within Windows Server 2008, the Active Directory Certificate Services server role consists of the following services and features: Web enrollment. Online Responder. Online Certificate Status Protocol (OCSP).

Web Enrollment This feature allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.

Online Responder This service responds to requests from clients concerning the revocation status of a particular certificate, sending back a digitally signed response indicating the certificate’s current status. The Online Responder uses the Online Certificate Status Protocol (OCSP) to return certificate status information to the requester. This protocol is used to respond to queries from clients who have requested data about the status of a PKI certificate that has been issued by a particular CA.

Network Device Enrollment Services (NDES) This service allows devices, such as hardware-based routers and other network devices and appliances, to enroll for certificates within a Windows Server 2008 PKI that might not otherwise be able to do so. This service enrolls these devices for PKI certificates using the Simple Certificate Enrollment Protocol (SCEP), a network protocol that allows network devices to enroll for PKI certificates.

When deploying a Windows-based PKI, two types of CAs can be deployed: Standalone CA. Enterprise CA.

A standalone CA is not integrated with Active Directory. It requires administrator intervention to respond to certificate requests. You can use a standalone CA as both a root and a subordinate CA in any PKI infrastructure.

An enterprise CA integrates with an Active Directory domain. It can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database. You can use an enterprise CA as both a root and a subordinate CA in any PKI infrastructure.

Selecting the CA Setup Type

Revocation Configuration In Windows Server 2008, you can configure one or more Online Responders to make revocation information available for one or more CAs. To enable this, each individual CA must be configured with its own revocation configuration so that Online Responders can provide the correct information to clients using the OCSP. The Online Responder can be installed on any server running Windows Server 2008 Enterprise or Datacenter editions, while the certificate revocation information can come from any 2003, 2008, or even non-Microsoft CAs.

Adding a Revocation Configuration

Selecting an OCSP Signing Certificate

Managing Certificate Enrollments Using a Windows Server 2008 CA, you can manage certificate enrollment in a number of ways depending on the needs of your organization.

Managing Certificate Enrollments In a Windows Server 2008 Active Directory environment, you can automate the distribution of PKI certificates using any combination of the following features: Certificate templates can be used to automate the deployment of PKI certificates by controlling the security settings associated with each template. Group Policy can be used to establish autoenrollment settings for an Active Directory domain (User Configuration\Windows Settings\Security Settings\Public Key Policies or Computer Configuration\Windows Settings\Security Settings\Public Key Policies nodes).

Making Certificate Enrollments In a non-Active Directory environment, clients can enroll manually for certificates using either of the following: The Certificate Request Wizard allows a user to manually create a certificate request file using the Certificates MMC snap-in. This wizard creates a request file that can be used by the Certification Authority MMC to generate a certificate based on the request. Certification Authority Web Enrollment allows users to manually request certificates using a Web interface, located by default at https://<CA Name/certsrv on a CA that is running the Certification Authority Web Enrollment role service.

Key Archival and Recovery One of the challenges of managing PKI certificates in an enterprise environment is users losing the private keys associated with their certificates. This risk can be alleviated in an Active Directory environment by the use of key archival on one or more CAs, which will store an escrow copy of each certificate's private key on the CA in case it needs to be restored for any reason. This escrow copy of a private key can be restored by one or more key recovery agents, user accounts that are configured with a Key Recovery Agent certificate that allows them to perform this sensitive task.

Maintaining a Windows Server 2008 CA In Windows Server 2008, you can assign users to one or more of the following predefined security roles within Certificate Services: CA Administrator. Certificate Managers. Backup Operators. Auditors.

Network Access Protection One of the greatest challenges faced by administrators in securing corporate networks is in protecting corporate networks from “unhealthy” computers on the network. Network Access Protection is a solution that controls access to corporate network resources based on the identity of the computer attempting to connect to the resource, as well as the connecting computer’s compliance with corporate policies and standards such as software update levels, Windows Firewall configurations, and the like.

Network Access Protection Network Access Protection includes a number of built-in enforcement methods, which define the mechanisms that NAP can use: DHCP enforcement. Internet Protocol Security (IPSec) enforcement. VPN enforcement. 802.1X enforcement. Terminal Services Gateway (TS Gateway) enforcement.

DHCP Enforcement This enforcement method uses DHCP configuration information to ensure that NAP clients remain in compliance If a NAP client is out of compliance, NAP will instruct the DHCP server to provide a DHCP configuration to the client that will limit its network access until the compliance issue is resolved.

Internet Protocol Security (IPSec) Enforcement This enforcement method uses IPSec that has been secured by specially configured PKI certificates known as health certificates, which are issued to clients that meet defined compliance standards. If clients cannot provide the necessary health certificate, they will not be able to participate in IPSec-secured traffic.

VPN enforcement This enforcement method restricts the level of network access that a remote access client can obtain, based on the health information that the clients presents when the VPN connection is made. For example, you may define a NAP policy in which corporate laptops receive full network access upon creating a VPN connection, whereas clients connecting to VPN using their home computers will receive access only to a limited subset of corporate resources.

802.1X enforcement This enforcement method uses 802.1X-aware network access points, such as network switches or wireless access points, to restrict network access of noncompliant resources.

Terminal Services Gateway (TS Gateway) enforcement This enforcement method integrates with new Terminal Services functionality that is built into Windows Server 2008 that allows authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device. NAP can restrict connection attempts by TS Gateway clients just as with other enforcement methods.

The overall architecture of NAP involves the following components: Components of NAP The overall architecture of NAP involves the following components: NAP client-side components. NAP Enforcement Client (EC) components: One or more System Health Agents (SHSs) Client side API for both the enforcment Client and System Health Agent components. The NAP Agent

Components of NAP NAP server-side components. NAP Enforcement Server (ES). One or more System Health Validators (SHVs). A NAP Health policy server. NAP administration server. NPS service. Health requirement servers. Remediation servers (optional).

Getting Started Screen for Installing NPS

Selecting the Network Connection Method

Define NAP Health Policy

Defining Windows Server Health Validator Policy

Summary The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.

Summary A PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.

Summary PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA. A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

Summary Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List. The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

Summary When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.

Summary An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow for auto-enrollment of digital certificates, as well as store digital certificates within the Active Directory database for easy retrieval by users and devices.

Summary Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.

Summary NAP can be configured with one of four built-in enforcement mechanisms: DHCP, 802.1X, IPSec, and VPN. The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators (SHVs) within the NAP server architecture.