CA administrator
approving certificates by, 179–180
request certificate from Web Enrollment Support, 177–179
revoking certificates by, 180–181
CA MMC console, 191
CA Web Enrollment Support
install/uninstall, 176
request certificate from, 177–179, 187
cache, DNS Server Service, 298
cell phones, 314
central processing unit (CPU), 305
certificate authority (CA). see also enterprise CAs
defined, 320
design factors to consider, 158–162
enrollment and distribution, 177–179
exclude from certificate request, 283
geographical hierarchy, 162–163
installing on Windows Server 2003, 172–176
network trust hierarchy, 164–165
organizational hierarchy, 163–164
in PKI architecture, 156
in PKI process, 154–155
certificate authority (CA) servers
enabling auditing on, 181–183
securing enterprise hierarchy, 169–170
securing stand-alone CA, 170–171
threats against, 167–169
factors to consider, 161
trust hierarchies for, 162–165
certificate distribution
approving certificates by CA administrators, 179–180
enrollment and distribution, 177–179
installing CA on Windows Server 2003, 172–176
questions about, 190–191
renewal and auditing, 181–184
revoking certificates by CA administrators, 180–181
certificate policy and practice statements, 157
certificate repositories, PKI, 157
certificate request, 283
Certificate Revocation List (CRL)
EFS and, 565
function of, 320
offline CAs and, 168–169
defined, 157
Certificate Services
common threats against, 167–169
designing PKI that uses, 186
function of, 320
functionality of, 152
installing on Windows Server 2003, 172–176
on VPNs, 444
certificate template, 188
Certificate Trust List (CTL), 157
certificate, authentication, IIS, 399
certificate-based authentication, 422
certificates
approving certificates by CA administrators, 179–180
authentication, IIS, 356–362, 401
configuring L2TP RRAS to accept, 434–438
cross-certification of, 444
described, 254
EFS and third-party, 588
enrollment, 565–566
enterprise/stand-along CAs and, 160
function of, 319
PKI scalability and, 161
with private keys, backing up, 580–584
recovery agent, 554–555
renewal of, 565–566
request from CA Web Enrollment Support, 177–179
revoking certificates by CA administrators, 180–181
root CAs/subordinate CAs and, 159
RRAS and, 451–452
SGC, 387
storage, EFS and, 564–565
for wireless access authentication, 337
Challenge Handshake Authentication Protocol (CHAP), 653, 678–679. see also Microsoft Challenge Handshake Authentication Protocol
Change the System Time right, 465
CIA triad, 6–8
cipher.exe, 566–569, 577–579, 616
Clear This Database check box, 137
Client (Respond Only) policy, 265, 284
client authentication, 308
client authentication settings, 60–61
client setting, SMB signing, 310–312
clients
authentication protocols, choosing, 646–651
authentication requirements analysis, 640–646
authentication strategy design, 639–640
DNS, securing, 303
down-level, configuring, 74–75
identifying non-current, 215–217
internal resource access for, 662
Network Access Quarantine Control and, 670
OS features, restricting access to, 637–639
OS hardening for, 629–637, 672
protocol selection for, 652–654
remote access account lockout and, 670
remote access plan overview, 651–652
remote access policy for, 654–662
security overview, 628–629, 671
using IAS for, 662–669
CM (Connection Manager), 438–439
CMAK (Connection Manager Administration Kit), 439
co-location, backup, 590
command-line tools
cipher.exe, 566–569
dsmod.exe, 528
GPUpdate command, 94–95
Hfnetchk.exe, 51–52
netsh, 668
common policy, remote access, 654
compat*.inf template
down-level clients and, 75
overview of, 57
server roles and, 131
compromised key attack, 248
computer account management plan, 165
computer forensics, 30
computer startup mode, IPSec driver, 278–279
computer-based authentication, Wi-Fi, 334–335
computers. see laptop computers; servers
conditions, remote access, 655–656
confidential data, 26
confidentiality, ESP, 263
/configure, 88–90
Configure Your Server Wizard
described, 141
for IIS, 113
using, 103–106
Connection Manager (CM), 438–439
Connection Manager Administration Kit (CMAK), 439
Connection Point Services (CPS), 438–439
connections
encrypted, SSL/TLS and. see Secure Socket Layer/Transport Layer Security
numbered/unnumbered, 421–422
persistent in extranets, 443
console redirection
EMS and, 602–603
service processor, 604
Windows, 604–605
Content Management Server (CMS), 399, 404
contexts, netsh.exe command, 272–273
control design strategy, 455
copy backup, 592
corruption, data, 510
CPS (Connection Point Services), 438–439
CPU (central processing unit), 305
Create a Pagefile right, 466
Create a Token Object right, 466
Create Global Objects right, 466
Create Permanent Shared Objects right, 466
CreateProcessAsUser, 469
credentials, basic authentication, 364
critical security updates, 41
CRL. see Certificate Revocation List
cross certificate, 164–165
CryptoAPI (cryptography application programming interface), 554
Cryptographic API (Crypto API), 387
cryptographic service provider (CSP)
described, 565
installing CA and, 174
securing stand-alone CA, 170–171
shut down, 189
cryptography, 386–388
CSP. see cryptographic service provider
CTL (Certificate Trust List), 157
custom policy, remote access, 655