70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Slides:



Advertisements
Similar presentations
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Advertisements

Planning a Public Key Infrastructure
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Deploying and Managing Active Directory Certificate Services
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 9 Deploying IIS and Active Directory Certificate Services
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.
Chapter 11: Active Directory Certificate Services
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Security+ Guide to Network Security Fundamentals, Fourth Edition
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Week #7 Objectives: Secure Windows 7 Desktop
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Configuring Directory Certificate Services Lesson 13.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Windows 2000 Certificate Authority By Saunders Roesser.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Security Planning and Administrative Delegation Lesson 6.
70-412: Configuring Advanced Windows Server 2012 services
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Building and extending the internal PKI
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Maintaining Network Health
Chapter 5 : Designing Windows Server-Level Security Processes
Module 8: Securing Network Traffic by Using IPSec and Certificates
IS3230 Access Security Unit 9 PKI and Encryption
Module 8: Securing Network Traffic by Using IPSec and Certificates
Install AD Certificate Services
Presentation transcript:

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network2 Objectives Describe the types of cryptography Understand how cryptography is used for encryption and digital signatures Understand the components of Certificate Services Install and manage Certificate Services Manage certificates Implement smart card authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network3 Cryptography Cryptography: encrypting/decrypting data to ensure they are read only by the intended recipient Encrypted messages are unreadable Decryption Reverse of encryption Makes the data readable again

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network4 Cryptography (continued) Four objectives of cryptography Confidentiality Integrity Nonrepudiation Authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network5 Cryptography (continued) Cryptography uses keys: A large number (a series of numbers, letters, and symbols) Large and difficult to guess Used with an algorithm to encrypt and decrypt data Three types of encryption Symmetric Asymmetric Hash

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network6 Symmetric Encryption Uses a single key A computer can symmetrically encrypt large amounts of data quickly Used when encrypting files and large amounts of data across network transmissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network7 Asymmetric Encryption Uses two keys: public key and private key Anything encrypted by the public key can be decrypted with the private key and vice versa

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network8 Hash Encryption Hash encryption is unique because it is one-way Hash algorithm uses a single key to convert data to a hash value The hash value is a summary of the data The purpose of a hash value is to be a unique identifier, not to secure data

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network9 Uses for Cryptography Three common tasks that use different types of encryption are: Encrypting Ensuring data integrity with digital signatures Securing data communication with Secure Sockets Layer (SSL)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network10 Encrypting Encrypting ensures that a message in transit cannot be read by unauthorized people Uses the public and private keys of the recipient: Sender creates an message software encrypts using the recipient’s public key Recipient’s public key may be published in a directory or given to the sender via before encryption Encrypted message is then sent to the recipient Recipient’s software decrypts the message using the recipient’s private key

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network11 Encrypting (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network12 Digital Signatures A digital signature is a hash value that is encrypted and attached to a message Ensures that a message has not been modified in transit and that it truly came from the named sender This is important when electronically delivering information such as contracts and agreements The public and private keys of the sender are used for a digital signature

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network13 Digital Signatures (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network14 Secure Sockets Layer Secure Sockets Layer (SSL) is a Transport Layer protocol that can be used with any application protocol that is designed to communicate with it SSL secures communication between Web servers and Web browsers, clients and servers, and other service combinations Servers are the only participants in SSL that must be configured with a public key and a private key

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network15 Secure Sockets Layer (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network16 Certificate Services Components Certificate Services is the Microsoft implementation of PKI (Public Key Infrastructure) PKI creates and manages public keys, private keys, and certificates PKI using Certificate Services is composed of: Certificates Certification authority (also known as certificate authority) A Certificate Revocation List (CRL) Certificate-enabled applications

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network17 Certificates A certificate contains information about a user or computer and a public key A certificate defined by the X.509 standard has fields: Subject (or user name) Serial number Validity period Public key Issuer name Issuer signature

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network18 Certification Authority A certification authority (CA) is a server that issues certificates to client computers, applications, or users The CA is responsible for taking certificate-signing requests from clients and approving them As part of the approval process, the identity of the requester is verified

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network19 Activity 9-1: Viewing Trusted Root Certification Authorities The purpose of this activity is to view the trusted root certification authorities installed by default on Windows Server 2003

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network20 Certificate Revocation List The certification authority maintains a Certificate Revocation List (CRL), which is a list of certificates issued by the CA that are no longer valid The administrator adds certificates to this list It is not created automatically Each certificate issued by the CA has an expiration date

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network21 Certificate-enabled Applications Windows client computers can store certificates in a place that can be used by multiple applications Many certificate-enabled applications running on Windows use this central windows store, but other applications store certificates in a private database Common applications for certificates include: clients Web browsers smart cards

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network22 Installing and Managing Certificate Services Two classes of CAs Enterprise Stand-alone An enterprise CA Integrates with Active Directory Has an expanded feature set Can use certificate templates Certificate creation process is entirely automated

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network23 Installing and Managing Certificate Services (continued) A stand-alone certification: Does not integrate with Active Directory Unable to issue certificates automatically based on a user object in Active Directory All certificate requests must be manually approved by an administrator Certificate templates cannot be used by a stand-alone certification authority Cannot issue certificates used for smart card authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network24 Certificate Hierarchy Chain of trust where client computers and applications are assured that a certificate is valid The hierarchy is either a root certification authority or a subordinate certification authority A subordinate certification authority is certified by another certification authority After certification, subordinate can issue certificates based on the trusted status of the certification authority that certified it

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network25 Certificate Hierarchy (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network26 Installing Certificate Services When installing a CA you must choose which type: Enterprise root CA Standalone root CA Enterprise subordinate CA Stand-alone subordinate CA. Can configure custom settings for the key pair and CA certificate

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network27 Activity 9-2: Installing Certificate Services The purpose of this activity is to install Certificate Services and configure your server as an enterprise root certification authority

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network28 Back Up and Restore Certificate Services Certificate Services is normally backed up as part of the daily backup process on Windows Server 2003 Certificate Services is included with the backup of system state data Can back up and restore manually just Certificate Services using the CA snap-in

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network29 Activity 9-3: Backing Up Certificate Services The purpose of this activity is to perform a manual backup of Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network30 Activity 9-4: Restoring the Certificate Services Database The purpose of this activity is to perform a manual restore of Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network31 Managing Certificates Tasks related to issuing and managing certificates are: Issuing certificates Renewing certificates Revoking certificates Publishing a Certificate Revocation List Importing and exporting certificates Mapping accounts to certificates A command-line utility, CERTUTIL, can be used to manage both certificates and Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network32 Issuing Certificates Certificates can be requested using Certificate Request Wizard Certificate Services Web pages Autoenrollment The Certificate Request Wizard and autoenrollment are available only for enterprise certification authorities Certificate Services Web pages can be used by both stand-alone and enterprise certificate authorities

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network33 The Certificate Request Wizard The Certificate Request Wizard is run by users to create certificates The types of certificates that can be created are controlled by certificate templates The administrator can create, configure, and control access to these templates Users can create certificates based on the templates to which they have either read or enroll permissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network34 Activity 9-5: Requesting a Certificate The purpose of this activity is to request a user certificate using the Certificate Request Wizard

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network35 Certificate Services Web Pages The Certificate Services Web pages can be used to request certificates from both enterprise certification authorities and stand-alone certification authorities IIS is required for the Certificate Services Web pages

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network36 Autoenrollment Autoenrollment issues certificates automatically To enable autoenrollment: Duplicate an existing certificate using Certificate Templates snap-in Select Publish certificate in Active Directory On the Security tab, add the required users or groups, and assign them the enroll and autoenroll permissions Enable the new certificate template in the CA snap-in Configure a group policy to enable Enroll certificates automatically

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network37 Renewing Certificates All certificates are issued with an expiration date If a certificate becomes compromised, it is not a security risk for an extended period of time If an employee unexpectedly leaves, employee won’t have access to company resources after expiration To avoid an interruption in service, a user must renew a certificate before it expires

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network38 Revoking Certificates When a certificate has been compromised or a user has left the company, you need to revoke it This places the certificate on the CRL of the certification authority Windows 2000 and newer clients automatically download the CRL for Active Directory A CRL has a default lifetime of seven days

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network39 Activity 9-6: Revoking a Certificate The purpose of this activity is to revoke a certificate and publish a new CRL

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network40 Importing and Exporting Certificates If you want to move or copy certificates from one computer to another, you can choose from these standard formats: DER encoded binary X.509 Base-64 encoded X.509 Cryptographic Message Standard Personal Information Exchange

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network41 Activity 9-7: Moving a Certificate The purpose of this activity is to move a user certificate from one computer to another

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network42 Smart Card Authentication Smart cards are the strongest form of authentication supported by Windows Server 2003 Users are required to have the device (the smart card) and enter a personal identification number (PIN) When smart cards are implemented, users are issued a physical card that contains a certificate The PIN decrypts the certificate stored on the card

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network43 Preparing the Certification Authority to Issue Smart Card Certificates Two types of certificates are required to implement smart card authentication: One type is placed on the smart card for authentication The second type is an enrollment agent certificate

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network44 Preparing a Smart Card Certificate Enrollment Station A smart card certificate enrollment station is a computer that is used to configure smart cards It must have a properly configured smart card reader A smart card reader is a device that smart cards are inserted into to read their contents

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network45 Configuring a Smart Card for User Logon An enrollment agent configures smart cards for users through the Certificate Services Web pages on a CA Select the following: Template that will be used to create the certificate CA that will issue the certificate Cryptographic service provider of the smart card Enrollment agent certificate that will sign the request The user the certificate is for

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network46 Configuring a Smart Card for User Logon (continued) To create the smart card, click the Enroll button and place the smart card in the smart card reader Enter the PIN to be used on the smart card If a certificate already exists on the smart card, you are prompted to overwrite it

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network47 Mapping the Smart Card Certificate to a User Account There are three ways to map certificates to user accounts: One-to-one mapping Many-to-one mapping (subject) Many-to-one mapping (CA)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network48 Attaching a Smart Card Reader to the Client Workstation Each computer using smart cards must have a smart card reader Many computers have these available as an option Also commonly available as USB devices

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network49 Summary Encryption makes data unreadable Decryption is the reverse of encryption Cryptography can ensure or perform confidentiality, integrity, nonrepudiation, and authentication Types of encryption include: Symmetric Asymmetric Hash

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network50 Summary (continued) Certificate Services is the Microsoft implementation of a certification authority for PKI Enterprise certification authorities integrate with Active Directory A stand-alone CA does not integrate with Active Directory The Certificate Request Wizard, the Certificate Services Web pages, and autoenrollment can be used to issue certificates Smart cards are the most secure form of authentication

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.