Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Install an Offline Root CA


An offline root CA should be used to anchor the hierarchy. The offline root CA is easier to protect because it can be locked in a vault or another secure area. It needs no connection to the network. The offline root CA can be restricted to issuing subordinate CA certificates, a process that can easily be manually done. Little maintenance is required, and you can limit the number of people who have contact with it.

The offline root CA, however, must be carefully prepared and installed, or additional CAs and the PKI may not function correctly. To correctly install a root CA, prepare the server and then perform the CA installation offline.

Server Preparation


The server should be prepared before installing certificate services. Specifically:

The server should be in a secure area. If the area cannot be locked, you should not leave the server during installation.

The server should not be connected to any network. Ever.

The installation of the standalone Windows Server 2003 should be done on a newly NTFS-formatted drive.

The latest service pack and security patches should be installed.

The server time should be manually synchronized with the Active Directory network.

A capolicy.inf file should be prepared and added to the %systemroot% folder on the server.


Most of these steps are well known and well documented. Two topics require a little more explanation: time synchronization and the use of a capolicy.inf file.

Manually Synchronize the Time

Synchronizing the standalone server time may seem like an unusual step. After all, the server will not be connected to the network. Authentication will be local, and there will never be any drive mapping or any obvious reason to be concerned about time. However, every certificate has a validity period. A certificate's validity period is the time between the time at which it becomes valid for the use it has been configured for (the Valid From date), and a time at which it is no longer valid (the Valid To date). Typically, the Valid From date is the date on which the certificate is issued, and the Valid To date is calculated by adding the certificate lifetime to the Valid To date.Time Differences" later in this chapter.

Use a Capolicy.inf File

The capolicy.inf file, if present, is read during the CA installation and during the CA certificate renewal, and the parameters set in the file are applied. It is not necessary to use a capolicy.inf file to install a CA, but a capolicy.inf file must be used when installing an offline root CA. The file is used to ensure that the root CA certificate is produced with an empty Authority Information Access (AIA) and Certificate Revocation List (CRL) Distribution Point (CDP) location. If you do not use the file for this purpose, the root CA certificate will list AIA and CDP locations on the local computer. Because the computer will always be offline, it will be impossible for applications and clients to locate the CDP, and revocation checks will fail. Likewise, applications and clients might need to download a copy of the AIA and fail.

The AIA and CDP locations must still be present in certificates that the offline root CA will issue, but you will configure the location after the CA is installed but before it issues any certificates. You will enter an available network location in the properties of the CA and then manually place a copy of the root CA certificate and the CDP at these network locations. This preparation will allow revocation checking to occur and will make available a copy of the root CA certificate.

Many sections and parameters can be placed in the capolicy.inf file; however, to keep the AIA and CDP locations from being added to the root CA certificate, only a couple are necessary. Two sets of data in the file are important. First, several renewal items are listed. These should match their counterparts entered during the CA installation. They will be used during CA certificate renewal. Second, the file is configured to prevent the AIA and CDP entries in the root CA certificate. Table 13-1 describes each entry in the file.

Table 13-1. capolicy.inf

Setting

Description

[version]

Section head.

Signature= "$Windows NT$"

Identifies operating system version.

[Certsrv_Server]

Section head.

RenewalKeyLength=4096

The key length for the CA keys. Leave the capolicy.inf file on the root server, and the key length will remain the same when the certificate is renewed. The key length can be changed at renewal but should never be smaller than the current key length. If changing the key length, you should also ensure that applications are able to use the larger key size.

RenewalValidityPeriod=Years

The validity period for a CA certificate is calculated in years.

RenewalValidityPeriodUnits

The validity period units determine the number =20 of years.

[CRLDistributionPoint]

Section title. By entering this section title and leaving the section blank, no CDP will be set for the root CA certificate.

[AuthorityInformationAccess]

Section title. By entering this section title and leaving the section blank, no AIA will be set for the root CA certificate.


NOTE: BEST PRACTICES


The example file given here comes from examples provided in the document "Best Practices for Implementing a Windows Server 2003 Public Key Infrastructure," which can be downloaded from http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx.

Create the capolicy.inf File


To create the basic file, follow these steps:


1.

Create the file in Notepad and enter the following information:


[version]
Signature= "$Windows NT$"[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

2.

Save the file to the %systemroot% of the computer on which the CA will be installed.


Installations Instructions for an Offline Root CA


The following instructions assume an Active Directory domain, tail spintoys.com with established servers and domain controllers. An additional computer, Computer1, is installed as previously detailed (including the addition of a capolicy.inf file). It will serve as the root CA. Additional sections in this chapter further configure the CA and detail the installation of a subordinate Enterprise CA:


1.

Log on as a local administrator of the server.

2.

Open Start, Settings, Control Panel, Add or Remove Programs, Add/Remove Windows Components.

3.

Select the Windows Certificate Services check box.

4.

Click Yes when prompted, as shown in Figure 13-1, and then click Next. Once a computer takes on the role of CA, you cannot change its name or domain membership. Because this computer will be kept separate from the network anyway, it should not be a domain member, and its name should be established before certificate services are installed.

Figure 13-1. The computer name cannot be changed after installation.

[View full size image]

5.

Click Details and view the components Certificate Services CA and Certificate Services Web Enrollment Support (see Figure 13-2). Click OK, and then click Next. Although IIS will not be installed on this computer, and web services won't be used for certificate enrollment, you cannot delete the Web Enrollment Support component. This component creates the file structure necessary to support web-based certificate requests and meets the needs of default locations for CDP and AIA.

Figure 13-2. It is not necessary to install IIS on the offline root CA, but the web component parts are installed.

6.

Click OK and then click Next.

7.

Select stand-alone root CA. (While an Enterprise Root CA could be implemented on a member server, it would then be integrated with Active Directory. It would not be advisable to then remove that computer from the network. Removing such a computer permanently from the network would mean excess processing and errors as the member server keeps trying to find its domain controller.)

8.

Select the Use Custom Settings To Generate The Key Pair And CA Certificate check box and click Next.

9.

Leave the default Cryptographic Service Provider(CSP)Microsoft Strong Cryptographic Provider. Vendors provide special CSPs so that their devices will work with certificate services. By default, three third-party CSPs (Schlumberger cryptographic service provider, Infinean SICRYPT Base Smart Card CSP, and Gemplus GemSAFE card CSP v1.0) are available, but vendor CSPs can be added as needed.

10.

Leave the default integrity algorithm as the SHA-1 hash algorithm.

11.

Select a 4096-bit key, as shown in Figure 13-3. The default key size is 2049, but a longer key length is advised. In general, you must weigh the increased security of a larger key with the longer time that will be taken when the key is used for encryption or signature. The root CA will only issue subordinate CA certificates, and the time difference taken by a 4096-bit key versus that of a 2049-bit key is insignificant when it is used only a few times.

Figure 13-3. The default settings for CSP, hash algorithm, and key size can be changed.

12.

Note that there is an option to use an existing key pair, and then click Next. If you need to recover or rebuild a CA, you can install the CA and import an existing key pair.

13.

Enter a common name for the certification authority; the name rootA is used here for ease of identification in later exercises. In a production environment, use a name that identifies the certificate. The common name is the name that will be visible, for example, in the Trusted Root Certification Authorities store. The CA common name does not have to be the same as the computer name. However, the common name, validity period, location of the certificate database, log, and shared folder cannot be changed after setup.

14.

Enter 20 years for the validity period, as shown in Figure 13-4, and click Next. The default time period is 5 years. The time period is made longer simply for convenience. If there is some reason to renew the certificate and generate new keys before that time period, it can easily be done. Certificates issued by CAs in the hierarchy cannot have a longer validity period than the CA certificate.

Figure 13-4. Select a validity period for the certificate.

15.

After the keys are generated, the storage location for the database can be changed. Accept the default location for the storage locations and click Next. On a production system, it is a good idea to have at least two hard disk drives and place the database log on a different drive than the database. This may improve performance.

16.

Wait while the system configures the CA components, and then click OK at the IIS warning message. A message will note that IIS is not installed and that Certificate Services Web Enrollment will not be available until IIS is installed. IIS is not needed on the root CA. There will not be many requests for subordinate CAs, and those can be managed manually from the Certification Authority console. (The CA will not be online; therefore, any web-based requests would be local, and the extra service is just not necessary.)

17.

If prompted, enter or browse to the path for the Windows Server 2003 installation disk.

18.

When installation is finished, click Finish.

19.

Go to Start, Administrative Tools, Certification Authority and note that the CA service has started, as evidenced by a green check mark on the CA.

20.

Select File, Exit to close the Certification Authority console.


Standalone Root CA Post Installation Configuration


After installation, but before it is used to issue subordinate CA certificates, the root CA keys should be archived and the CA configured.

Back Up the CA Keys

CA keys can be backed up from the CA console, from the local machine's certificate stores console, or by using the certutil command. To do so, export a copy of the root CA certificate and include a copy of the private key. The result can be placed on a floppy disk or other removable media and must be protected.

Use certutil to Back Up CA Keys

Use the certutil command to back up CA keys. It can also be used to restore them. To back up the keys for the rootA offline root CA using the password tiab34T* to a PKCS #12 (.pfx) format file and place it on a floppy diskette in the A drive, use this command:


Certutil -backupkey -config name_of_server\rootA -p tiab34T*Y A:

Figure 13-5 shows the command and result.

Figure 13-5. Use certutil to back up the keys.

[View full size image]

Use the Certificates Console to Back Up CA keys

To use the local machine's certificate store, follow these steps:


1.

Open an MMC console.

2.

Click the File menu and select Add/Remove Snap-in.

3.

Click Add, and then select Certificates from the Add Standalone Snap-in dialog.

4.

Click Add, select Computer Account, click Next, click Finish, Close, and then click OK.

5.

Expand the Certificates (Local Computer), Personal folder and then select the Certificates folder.

6.

In the detail pane, right-click the CA certificate and select All Tasks, Export.

7.

Click Next on the Welcome to the Certificate Export Wizard page.

8.

Select Yes, export the private key, as shown in Figure 13-6, and then click Next.

Figure 13-6. Export the private key when backing up the CA keys.

9.

Do not change the Export File Format page, as shown in Figure 13-7; instead, click Next.

Figure 13-7. The Enable Strong Protection… setting ensures that the keys are password protected.

10.

Enter and confirm a password. This password helps protect the keys. It must be entered before the keys can be imported into a certificate store. A maximum 32-character password can be used. The CA will be compromised if unauthorized individuals obtain the keys. The media should also be protected, and a strong password should be used. Because you may never have to use the password, it is unlikely that you will remember it, and you might not be present when it's needed. To ensure key recoverability, write down the password and store it in a safe place, separate from the media on which the key file exists.

11.

Browse to the location for file storage, enter a file name, and click Next, and then click Finish.

12.

If the export is successful, click the OK button.


Configure CDP and AIA on the Root CA

The root CA certificate will not include an AIA or CDP location. The Root CA should provide, however, an AIA and CDP location. This will be added to all the certificates that it issues. This is necessary primarily so that clients can do certificate validity processing by validating the signature of the root CA and locating the root CA CRL. The first step is to confirm that the root CA certificate does not include a CDP or AIA. Next, configure CDP and AIA network location information on the root CA.

Confirm No AIA or CDP

To confirm that the root CA certificate does not include an AIA or CDP location, follow these steps:


1.

Open the Certification Authority console.

2.

Right-click the CA and select Properties.

3.

Click the View Certificate button on the General page.

4.

Click the Details page of the certificate. Scroll down through the details, as shown in Figure 13-8, and confirm that the certificate does not include the CRL Distribution Points or Authority Information Access fields.

Figure 13-8. Always verify that the root CA certificate does not include the AIA and CDP field.

5.

Click OK to close the certificate.


Configure Network Locations for CDP and AIA on the Root CA

For certificates issued by the CA to contain CDP and AIA locations, you must add those locations to the Extension Property page of the CA properties.

TIP: Syntax for AIA and CDP Extensions

The syntax for the AIA and CDP extensions is not well displayed in the interface. Worse, if you make an error, you must delete the error and re-enter the entire path. It's best if you have reviewed the syntax before attempting to create these paths. The article "Windows 2000 Certificate Servers" provides the syntax; this article is at http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/depopt/2000cert.mspx.


1.

If the property pages for the CA are not open, open the Certification Authority console and select the certification authority by clicking the CA.

2.

Select Properties from the Action menu.

3.

Click the Extension tab, click the Select Extension drop-down box, and then click Authority Information Access (AIA). AIA specifies the location where clients may download a copy of the CA certificate. The AIA default location is on the CA computer. Because this CA will be offline, you must change the publication location of the AIA to the network so that it is accessible by clients. This must be done before certificates are issued because the AIA location is published on the certificate.

4.

Note the syntax of the configured AIA extension locations. Click Add and enter the new web location. The following location (also shown in Figure 13-9) is where the certificate only (not the certificate and related private key) will be stored on a chicago.local server. In the URL, the enclosed variables <CaName> and <CertificateName> will be interpreted as rootA: http://chicago.local/CertEnroll/regalin_<CaName><CertificateName>.crt

Figure 13-9. Modifying the AIA publication location URL.

5.

When complete, click OK.

6.

On the Extensions page, which is shown in Figure 3-10, make sure the new URL is selected and click the Include in the AIA extension of issued certificates check box. Do the same for the new file location if it is created. Don't forget this step! The location of the AIA must be available, and for it to be used, the information must be published on the certificate.

Figure 13-10. Check the Include instruction.

7.

Click the default URL for the location of the AIA, the one pointing to a local IIS server, and click Remove.

8.

Note the default location where you can find a copy of the CA certificate to copy to this location on the IIS server on the CA computer. The default location is <systemroot>\System32\ CertSrv\CertEnroll\motorin_rootA.crt.

9.

If desired, note the syntax for the file location for AIA and create a file location where the root CA certificate may be located. The following syntax is used for Tailspin Toys:


File://\regalin.chicago.local\CertSrv\CertEnroll\<CAName><CertificateName>.crt

10.

Click the Add button to add an LDAP location. The root CA certificate should be made available in the Active Directory. Don't forget to publish the certificate in the Active Directory. Use this syntax:

ldap:///CN=rootA,CN=AIA,CN=Public Key Services,CN=Services, CN=Configuration,DC=chicago
,DC=local?cACertificate?base?objectclass=certificationAuthority

11.

Select the new LDAP entry and check the box Include in the AIA extension of issued certificates.

12.

Select the default LDAP location and ensure that the Include in the AIA extension of issued certificates check box is not selected. The default LDAP location on a standalone server that is not a member server will not have this item checked, as it makes no sense for that server. (The root CA will not be available to the network, so publishing the local file location for the root certificate is unnecessary.)

13.

In the Select extension drop-down box, select the extension CRL Distribution Point (CDP).

14.

Select the LDAP location and make sure no boxes are checked. Again, no LDAP directory is available to a standalone server.

15.

Click the Add button and add a new LDAP path for the chicago.local domain. Later, you'll publish this information to the directory. The syntax for the ldap entry is as follows:

ldap:///CN=roota,CN=regalinn,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration
,DC=chicago,DC=local?certificateRevocatinoalLilst?base?objectlass=cRLDistributionPoint

16.

Select the new LDAP location and check the boxes Include in all CRLs, Specifies where to publish in the Active Directory when publishing manually, and Include in the CDP Extension of Issued Certificates.

17.

Select the file location and click Include in the CDP cxtension of issued certificates to deselect it. The root CA will not be accessible to computers, so publishing the file location in the CDP extension of certificates is useless. The Publish CRLs to this location check box should remain checked. The published CRL must be retrieved from this location in order to publish it on the network where it can be located.

18.

Click Add and enter a new http location. A new http CDP location must be added because the CA will not be online. The new CDP must be at an online location. Use this syntax: http://chicago.local/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

19.

Click OK to return to the Extensions page.

20.

With the new http entry selected, click the Include in the CDP extension of issued certificates check box, and then click OK.

21.

Select the default http CRL location, click Remove, and then click OK.

22.

Note that the default location for the publication of the CRL is the same as that for the root certificate. You need to copy both of these files to removable media so that you can make them available for publication to Active Directory and the web site of the CA.

23.

Click Apply to save settings. Click No when asked if you want to stop and restart certificate services at this point.

24.

Click the Policy Module tab and then click Properties.

25.

Note, as shown in Figure 13-11, that Set the certificate request status to pending is checked. Requests for CA certificates should always be manually approved. Standalone CAs cannot use the Active Directory to authenticate the user and determine if it's OK to issue certificates to users or computers. When certificate requests are marked as "pending," the CA administrator has to approve them.

Figure 13-11. The Certificate Manager must approve certificate requests by default on the root CA.

26.

Click Cancel to close the Policy Module property pages, and then click OK to close the root CA property pages.

27.

Right-click the Revoked Certificates node and select Properties.

28.

In the CRL Publication Interval box, enter 6, use the drop-down box to select Months, and then click OK (see Figure 13-12). The CRL will be published to the file system of the rootA CA. After each publication, you need to copy it and manually ensure it is published to the Active Directory and the network-accessible locations, in this case, on the computer2 web server. The first CRL, an empty CRL, is published to the file system. You can manually publish a CRL at any time and manually locate it at the proper locations. Setting the timeframe at six months means you must manually retrieve each new root CA CRL and manually publish it to the network locations.

Figure 13-12. Change the CRL Publication period.

29.

Click the View CRLs tab to see that the CRL has been published, as shown in Figure 13-13. Then, click the View CRL button and click the Revocation List tab. Note, as shown in Figure 13-14, that a CRL has been published and is empty, as you would expect.

Figure 13-13. A CRL has been published.

Figure 13-14. The CRL is empty, as it should be.

30.

Click OK twice to close the Property pages.

31.

Stop and start the certificate service.

32.

The current CRL does not contain the new http and ldap enTRies that you have created. Publish a new CRL manually by right-clicking the Revoked Certificates node, selecting All Tasks, and then click Publish.

33.

Click File, Exit to close the Certification Authority console.

34.

Open Windows Explorer, browse to <windir>\system32\CertEnroll, and copy the CRL and certificate files (rootA.crl and motorin_rootA.crt files in this example) to removable media.


Add the Root CA Certificate and CRL to Network Locations

The Root CA certificate and CRL must be placed on the web server, and the certificate must be published in the Active Directory. To add them to the web server, simply copy the files roota.pfx (from the backup file) and rootA.crt from the removable media that contains them to the server (in this case, to %windir%\system32\certsrv\certenroll).

To publish them in the Active Directory, use the certutil command.

Publish Certificate and CRL to Active Directory

To add the certificate and CRL for the Tailspin Toys domain root CA to the Active Directory, follow these steps:


1.

Log on to regalinn as a member of the Domain Admins group.

2.

Publish the CA certificate to Active Directory by using the certutil command. This adds the standalone root CA certificate to the Active Directory. It must be accessible to the certificate verifiers:


Certutil dspublish f motorin_rootA.crt

3.

Publish the CRL to the Active Directory by using the certutil command:


Certutil dspublish f rootA.crl


Figure 13-15 shows the command and the result.

Figure 13-15. Use certutil to publish the CRL and the certificate.

[View full size image]

Distribute the Root CA Certificate Via Group Policy

The Root CA certificate must be available to clients. By publishing the certificate to Active Directory, you make the certificate available; however, for clients to trust certificates issued by a CA in the hierarchy, a copy of the certificate must be in the Trusted Root Certification Authorities certificate store. Users can download a copy of the certificate by using the web enrollment pages; however, this process should be automated by distributing the certificate via Group Policy.

To provide a copy of the root CA certificate to clients and place it in their Trusted Certification Authority store, you must obtain a copy of the certificate and then do the following:


1.

Log on as a member of the Domain Admins group.

2.

Open a GPO linked to the domain.

3.

Select the Computer Configuration, Windows Settings, Security Settings, Public Key Policies node.

4.

In the details pane, right-click the Trusted Root Certification Authorities policy, click Import, and then click Next.

5.

Browse to the root CA certificate file (a copy is in <systemroot>\system32\certsrv\certenroll).

6.

Select the file, click Open, and then click Next.

7.

Click Place All Certificates in the Following Store, select the Trusted Root Certification Authorities store, and then click Next.

8.

Review the summary and click Finish.

9.

In the GPO, note that the certificate is now listed.


Configure Auditing on the Root CA

By default, some CA errors will be recorded in the application log. However, to ensure that the details required to audit the CA operation are recorded, configure CA auditing for the root CA. This is a two-step process. For many of the audit functions to work, Object auditing for the computer must be turned on. For audit records to be created, auditing must be configured in the CA properties. Enable other local auditing to meet your security policy. The following example provides extensive audit trails of activity on the CA.

A security log review process should be established for CAs. Collection of audit records is an exercise in futility if records are not reviewed.

Enable Auditing for the Local Computer

To turn on auditing for the local computer, use the Local Security Policy:


1.

Log on to the root CA computer Administrative Tools, Local Security Policy console. On a standalone computer, object auditing must be enabled locally. Computer accounts for CAs that are member servers should be in their own OU, and a GPO can be used to turn on object auditing for all Enterprise CAs.

2.

Browse to Local Policies, Audit Policy.

3.

Double-click on Audit Account Logon Events and click the Failure box to select it. (The Success box is already selected.) Click OK.

4.

Repeat for the Audit Logon Events category.

5.

Open Audit Account Management, select Success and Failure, and then click OK.

6.

Repeat for Audit Object Access, Audit Policy Change, Audit Privilege Use, and Audit System Events. It is critical to monitor all CA operations. Changes also need to be made to the event log policy to accommodate the collection of events and ensure the retention of logs.

7.

Close the Local Security Policy.

8.

Open the Start, Administrative Tools, Event Viewer console.

9.

Right-click the Security node and select Properties.

10.

Note the default log size and select the Do Not Overwrite Events (Clear Log Manually) button to select it. Establish requirements for the security log file. No audit policy is complete without specifying parameters for the management of the security log file. Even though the initial project is small, auditing settings will collect extensive information. The size of the log should be set large and monitored for growth. Before the project is expanded, size history should be evaluated and a larger file designated to ensure adequate space.

11.

Click OK to close the property pages and then close the Event Viewer console.


Configure CA Auditing

Specific auditing choices can be made in the properties pages of the CA:


1.

Open the Certification Authority console, right-click the CA, and then select Properties.

2.

Select the Auditing page.

3.

Select all the audit events by checking all the event boxes (see Figure 3-16). Note the message when the Start and Stop Certificate Services selection is made. It indicates that a cryptographic hash is made of the database when the service is stopped or started and warns of a time delay. This could become a performance issue for issuing CAs; however, the database will not be large on the root CA, and the root CA will not often be stopped and started again.

Figure 13-16. Selecting CA audit events to monitor.

4.

Click OK.



/ 194