Maintaining Network Health

Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the entity you think you are. Allows two parties to communicate though an algorithm know as public key cryptography. Each client has a public key and a private key No need for a pre-shared key Combining the two allows us to communicate securely This is more efficient than a pre-shared key.

PKI Terms Certification Authority(CA) – issues and manages digital certificates for the PKI Digital Certificate – digital document that contains information about a particular user, computer, or device. Holds the public key. Smart Cards – credit card like devices that have a digital certificate installed on them. Used to log into resources. Self-enrollment – Allows users to request their own certificates. Autoenrollment – Automatically enroll for certificates. Recovery Agents – Used to recovery lost certificates.

PKI Terms continued Web Enrollment – self enrollment through a Web Browser. Online Responder – responds to requests from clients about the status of a specific certificate. Standalone CA – not integrated with AD. Enterprise CA – integrated with AD, ideal implementation Installing Certificate Services is a Role we can select.

Managing Certificate Enrollments In and AD environment you can automate the distribution of certificates. This is controlled through Group Policy In non-Active Directory environments you must manually enroll for certificates. Use the certificate wizard in the Certificates MMC. Enroll through the web by typing the in the servers web address in a web browser.

Maintaining a Server 08 CA Be sure to designate a Recovery Agent incase of lost certificates. Only the Recovery Agent can recover these. You can assign users to one or more of the following predefined security roles: CA Administrator – overall management Certificate manager – issuing and managing certificates Backup operator – back up and restore OS files and folders and CA information Auditors – Able o manage and read security logs on a computer running AD CS role.

Introducing Network Access Protection NAP helps protect from “unhealthy” computers from coming onto the network. Connecting computers are “evaluated” If they meet the criteria of the NAP policy they are permitted access to the network If they do not the criteria they are either: Denied access to the network Sent to Remediation network Remediation servers allow noncompliant computers to become compliant. IE. The remediation network my have the antivirus software available for install.

NAP enforcement Methods DHCP enforcement – easiest method. If the NAP client is out of compliance the DHCP server will assign an address with limited access. IPSec enforcement – uses health certificates. If a client is out of compliance it will not get the health certificate and therefore wont be able to communicate through IPSec or on the network. VPN enforcement – restricts the level of access that a remote client can obtain. IE. Work laptops get full access, home laptops get limited access 802.1X enforcement – restricts on physical connections

NAP demonstration

Lesson 10 You Learned (cont.) A PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.

Lesson 10 You Learned (cont.) PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA. A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

Lesson 10 You Learned (cont.) Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up- to-date Certificate Revocation List.

Lesson 10 You Learned (cont.) When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.

Lesson 10 You Learned (cont.) An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow for auto- enrollment of digital certificates, as well as store digital certificates within the Active Directory database for easy retrieval by users and devices.

Lesson 10 You Learned (cont.) Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.

Lesson 10 You Learned (cont.) NAP can be configured with one of four built-in enforcement mechanisms: DHCP, 802.1X, IPSec, and VPN. The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators (SHVs) within the NAP server architecture.