Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Slides:

Advertisements

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Advertisements

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

The System Center Family Microsoft. Mobile Device Manager 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

KIERAN JACOBSEN HP Understanding PKI and Certificate Services Gold Sponsors Silver Sponsors.

Deploying and Managing Active Directory Certificate Services

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Lecture 23 Internet Authentication Applications

eToken PKI Client Overview

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Understanding Active Directory

Chapter 11: Active Directory Certificate Services

1 Windows Vista and “Longhorn” Server: Understanding, Enhancing and Extending Security End-to-end FUN210 Avi Ben-Menahem Lead Program Manager Microsoft.

Security and Policy Enforcement Mark Gibson Dave Northey

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Configuring Active Directory Certificate Services Lesson 13.

Windows Vista And Windows Server Codename “Longhorn” Security Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure Ammar Hasayen ….

Windows 2003 and 802.1x Secure Wireless Deployments.

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Windows Vista: Volume Activation 2.0

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

PKI Enhancement in Windows Vista® and Windows Server 2008.

1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2.

Clinic Security and Policy Enforcement in Windows Server 2008.

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Configuring Directory Certificate Services Lesson 13.

Module 9: Fundamentals of Securing Network Communication.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Windows Role-Based Access Control Longhorn Update

May 30 th – 31 st, 2006 Sheraton Ottawa. HSPD – 12 / FIPS 201 Jon R. Wall Security / IA US Public Sector Microsoft Corporation.

Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director

70-412: Configuring Advanced Windows Server 2012 services

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Service Pack 2 System Center Configuration Manager 2007.

Securing Tomorrow’s World Microsoft Security Roadmap Ed Gibson & Steve Lamb Microsoft Ltd.

Building and extending the internal PKI

Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.

Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | Enterprise certification.

Maintaining Network Health

Product Manager, Keon PKI

Public Key Infrastructure from the Most Trusted Name in e-Security

{ Security Technologies}

RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant

Mark Quirk Head of Technology Developer & Platform Group

Presentation transcript:

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation

Agenda Microsoft and X.509 PKI Credential Management Services Drilldown Futures – Advanced Cryptography Support

Microsoft And X.509 PKI The road ahead Enabling primary end-to-end PKI application scenarios S/MIME, secure wireless networks, VPN, IPSEC, EFS, Smartcard logon, SSL/TLS, and digital signatures Enhancing credential lifecycle management New certificate enrollment API and UI Enhancing manageability and deployment of Certificate Services Enabling revocation across all applications

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem Online Revocation Services Web Proxy

Advanced Enrollment Retiring xenroll and scrdenrl controls The last version of Xenroll exposes interfaces ICEnroll4 and IEnroll4 Difficult to use monolithic interfaces High cost of maintenance for Microsoft to support Xenroll Customers and Third Party CAs if and when Xenroll is updated Scrdenrl exposes IScrdenr interface and leverages Xenroll Primarily used on client for ‘Enroll on Behalf of’ functionality

Advanced Enrollment COM Classes for PKI Operations Well defined class hierarchy that includes interfaces to create/manage Enrollments against Microsoft CA (Server interfaces and protocols remain the same) Certificate Requests (PKCS#10, PKCS#7, and CMC) Public/Private keys Certificate Extensions/Attributes/Properties Subset of the functionality can be scripted via a web page Integrated UI Developer friendly – easy to understand and code against

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

Auto Enrollment Re-architected for attack surface reduction and overall Operating System performance enhancement WMI jobs based design Improved usability for offline scenarios Expiry notifications

Auto Enrollment Expiry notification

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

Credential Roaming Pain Points in deploying PKI-based solutions Certificates and private keys are bound to a machine For a given purpose (e.g. S/MIME), users have different sets of certificates and private keys on each machine CA management overhead Current options Smartcards Roaming User Profiles

Credential Roaming Solution Credential Roaming Services deliver all credentials to the user’s machine using active directory replication This helps applications like Secure Client authentication Enhanced usability for Smart Card deployments

Credentials Roaming Availability Server-Side Components Windows 2000 Server SP3+ Windows Server 2003 Windows Server 2003 SP1 – recommended Longhorn Server – recommended Client-Side Components Windows Server 2003 SP1 Longhorn Client/Server Windows XP SP3/OOB (future predictions)

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

Smart Card Subsystem Simplified Software Development Common crypto operations handled in the platform API for card manufacturers Enhanced User Experience Planned Certification and Testing Program for Smartcard middleware on Windows Update PnP support for Smart Cards Enhanced Smart Card Logon Scenarios Root certificates propagation Integrated Smart Card unblock

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

Certificate Services Enabling delegated enrollment agent functionality Integrating Network Device Enrollment Service (SCEP) into native setup Manageability – Improved administrative user experience with basic functionality enhancements Standards – Updates and enhancements to conform to critical IETF and government protocol standards

Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

Online Responder Services OCSP Client (CAPI 2) Web Proxy Online Responder Management RFC 2560 compliant Focus on performance, scalability, and manageability HTTP DCOM DCOM CRL MSFT CA Other

Advanced Cryptography Support CNG - The Open Cryptographic Interface for Windows CNG provides the ability for the customer to plug in kernel or user mode implementations for Proprietary cryptographic algorithms Replacements for standard cryptographic algorithms Key Storage Providers (KSP) Enables cryptography configuration at enterprise and machine levels CNG meets Common Criteria and FIPS requirements for Strong isolation and auditing

Advanced Cryptography Support Credential Management Support Certificate Server will support CNG for Issuing ECC Certificates (ECDSA, ECDH), support P-256, P-384 and P-521 curves. Hashes: SHA-2 (256, 384, 512) Enrollment API will support CNG for using new provider model for requesting ECC based certificates Smart Card subsystem will support dual cards

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.