Autoenrollment The Microsoft marketing platform for Windows Server 2003 is:“The Windows Server 2003 family helps organizations do more with less.” One of the ways that Windows Server 2003 helps you do more with less is through the use of certificate autoenrollment, which is defined as “a process for obtaining, storing, and updating the certificates for subjects without administrator or user intervention.” Certificate autoenrollment allows clients to automatically submit certificate requests and retrieve and store certificates. Autoenrollment is managed by the administrator (or other staff members who have been delegated authority) through the use of certificate templates so that certificates are obtained by the appropriate target and for the appropriate purpose.Autoenrollment also provides for auto- mated renewal of certificates, allowing the entire certificate management process to remain in the background from the perspective of the user. EXAM WARNING Windows Server 2003 Enterprise Edition or Windows Server 2003 Datacenter Edition is required to configure certificate templates for autoenrollment requests. From a planning perspective, you will want to decide if autoenrollment is right for your organization and which users or groups should be configured to use autoenrollment. Say that Wally’s Tugboats has a roaming sales force that needs access to network resources while on the road.Typically, these sales associates are novice computer users who have no interest in learning about functions such as Web enrollment; their sole purpose is to sell tugboats. Through autoenrollment, the administrator of Wally’s Tugboats can specify that members of www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 217 Separating Web Enrollment from the CA Server In some environments, it could be beneficial to separate the Web enrollment server from the CA server. For example, you might not want to have the IIS service run- ning on a domain controller that is also functioning as a CA server for security pur- poses—specifically that Active Server Pages (ASP) must be enabled on the IIS server in order for Web enrollment to function. For this reason, a separate Windows Server 2003 server can be configured to function as the front-end Web enrollment server for the PKI. If you should choose to install the Web enrollment pages on a separate computer from the CA, the com- puter account must be trusted for delegation within Active Directory. For more information on delegation, see www.microsoft.com/technet/treeview/ default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/538 .asp. For more information on using a separate server for Web enrollment services, go to www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ windowsserver2003/proddocs/standard/sag_CSprocsInstallWebClient.asp. Head of the Class… 272_70-296_04.qxd 9/26/03 11:02 AM Page 217 the SalesTeam group in Active Directory have the ability to autoenroll for a certificate.We walk through the process of setting up autoenrollment later in this chapter, when we discuss objective 5.1, configuring PKI within Active Directory. EXAM W ARNING Remember that autoenrollment is used for the automatic enrollment of users, not computers. Using Smart Cards In our discussion of the different types of CAs, we mentioned that the key difference between enterprise CAs and standalone CAs is that enterprise CAs tie into the Active Directory directory services. Another benefit that comes from the use of enterprise CAs with Active Directory is the use of smart cards for logging into a Windows Server 2003 domain. Although smart cards are covered in much more depth in Chapter 5 of this book, we wanted to take a few moments here to discuss the planning process for using smart cards with PKI. Unlike Windows 2000, which used smart cards primarily for user logon,Windows Server 2003 uses smart cards for a variety of functions. As the system administrator, you need to work with your IT group to plan for the use of smart cards. Specifically, you will want to discuss: ■ Business needs for smart cards ■ Smart card usage ■ Smart card enrollment Defining a Business Need Defining a business need for smart cards in today’s environment is much easier than it was even just a few years ago.With the increase in information theft and the reduction in cost of security tools such as smart cards, many organizations are willing to examine their own security practices for areas of improvement. Let’s say that Wally’s Tugboats operates a 24/7 sales center, which is staffed almost exclusively by temporary employees.Turnover and lack of proper temporary employee screening is a huge issue within the sales center. As the administrator, you can easily justify the need for a smart card implementation in the sales center for purposes of authentication and nonrepudiation. Smart Card Usage As we mentioned, Microsoft has taken smart card usage a bit further than was previously available in Windows 2000.The additional ways that smart cards can be used in Windows www.syngress.com 218 Chapter 4 • Implementing PKI in a Windows Server 2003 Network EXAM 70-296 OBJECTIVE 5.2.3 272_70-296_04.qxd 9/26/03 11:02 AM Page 218 Server 2003 include storing administrative credentials and mapping network shares. Part of the planning process for the deployment of smart cards is to determine exactly what the smart cards will be used for. In our business need example, it was pretty clear that we needed the smart cards for user authentication. However, you could find that you can extend the smart card offering beyond simple user authentication. Smart Card Certificate Enrollment By default, users are not allowed to enroll for a smart card logon certificate. In order for a user to enroll for a smart card logon certificate, a system administrator must grant the user (or a group of which the user is a member) access rights to the smart card certificate tem- plate. Microsoft recommends that users enrolling for smart card certificates use smart card enrollment stations that have been integrated with certificate services. Enterprise CAs have smart card enrollment stations installed by default, allowing an administrator to handle requests for and installation of smart card certificates on behalf of the user. By having an administrator handle the entire smart card enrollment process, there is no need to grant users access rights to the smart card certificate template. As part of the planning process, you need to decide where smart card enrollment sta- tions will be placed. Since enrollment stations are configured by default on CAs, you will want to make sure that the enrollment stations are stored in a secure location. Smart cards should be treated the same as any other type of security token (ID badges, access cards, etc.) and kept secure from general users and outside parties. E XAM WARNING You could get a question relating to the types of smart cards available for use with Windows Server 2003. The following types of smart cards are the only ones that can be used with Windows Server 2003: ■ Gemplus GemSAFE 4k ■ Gemplus GemSAFE 8k,Infineon SICRYPT v2 ■ Schlumberger Cryptoflex 4k, ■ Schlumberger Cryptoflex 8k ■ Schlumberger Cyberflex Access 16k Configuring Public Key Infrastructure within Active Directory In this section, we apply the information we’ve previously discussed and implement PKI into an Active Directory-enabled Windows Server 2003 network. Using the Wally’s Tugboats Inc. example, let’s walk through each step necessary to creating a functional and fluid PKI.The good news is, most of the real grunt work is done; we have gone over the www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 219 EXAM 70-296 OBJECTIVE 5.1 272_70-296_04.qxd 9/26/03 11:02 AM Page 219 components of a PKI, considered the decisions necessary to plan the PKI, and thought about the features that Windows Server 2003 brings to a PKI. Now we get to turn all the paperwork and thought processes into a functional PKI. Throughout this section, we discuss each step of the implementation and configuration process and perform several exercises that correspond to each step.The most logical first step is to review the methods that we can use to install certificate services onto our Windows Server 2003 machine. Keep in mind that the purpose of this section is to con- figure PKI within AD, which makes the assumption that you have already installed Active Directory onto your server. In order to perform these next few steps, you need to have access to the cabinet files for Windows Server 2003 (on CD, a local folder on your hard drive, or on a network share). Although we could come up with several variations of installing certificate services onto a Windows Server, there are essentially two main ways to accomplish this task: ■ Insert the Windows Server 2003 CD into your CD-ROM drive and click Install optional Windows components (see Figure 4.13). ■ Or click Start | Control Panel | Add or Remove Programs and click Add/Remove Windows Components. In Exercise 4.01, we begin installing the certificate services.You can choose either installation method as long as you are running the installation on a server that exists within a Windows Server 2003 Active Directory domain. www.syngress.com 220 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4.13 The Windows Server 2003 Autorun Splash Screen 272_70-296_04.qxd 9/26/03 11:02 AM Page 220 E XERCISE 4.01 INSTALLING WINDOWS SERVER 2003 CERTIFICATE SERVICES For our example, let’s install an online enterprise root CA on one of the domain controllers within the wallystugboats.com domain. You need to have IIS installed on the server before beginning this exercise. Let’s begin by inserting the CD into the server’s CD-ROM drive: 1. Insert the Windows Server 2003 CD into your CD-ROM drive and click Install optional Windows components. 2. When the Wizard Components window opens, place a check mark in the Certificate Services box. Notice the warning message that appears, informing you that once you install certificate services, you will not be able to rename the server (see Figure 4.14). Click Yes to clear the warning message, and click Next to continue. 3. As we mentioned at the beginning of the exercise, we’re going to be configuring this CA as the enterprise root CA for the wallystugboats.com domain. Select Enterprise Root CA from the CA Type window, as shown in Figure 4.15, and click Next. www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 221 Figure 4.14 Certificate Services Warning Message Figure 4.15 Certificate Services CA Type Selection Window 272_70-296_04.qxd 9/26/03 11:02 AM Page 221 4. Enter a common name for your certificate authority. This is the name by which the CA will be known within your enterprise as well as in Active Directory. In our example, we use certserv as our common name. Next, adjust the validity period so that the certificates issued by this CA are valid for 3 years instead of 5 years. Notice that the expira- tion date is now exactly three years from when you changed this set- ting. Click Next to continue. N OTE At this stage, the key pair is being generated. 5. Accept the defaults for the database file and database log locations and click Next. Windows will begin configuring the CA components. Windows will need to stop the IIS services in order to complete the cer- tificate services installation. N OTE If you are warned about Internet Information Services not being installed and Web enrollment support not being available, click Cancel. You will need to install IIS prior to installing your CA in order to support Web enrollment. 6. Web enrollment will also require that ASP be enabled. Note the warning about the potential security vulnerabilities by enabling ASP, as shown in Figure 4.16, and click Yes. 7. Click Finish when the installation has completed. www.syngress.com 222 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4.16 ASP Warning Message 272_70-296_04.qxd 9/26/03 11:02 AM Page 222 Web Enrollment Support If you received the warning message about IIS not being installed, you probably noticed that Web enrollment support was not enabled.Web enrollment relies on the IIS service for the publication of the Web enrollment Web pages and components. IIS provides the user with the front-end interface that serves for the automatic back-end certificate creation. In Exercise 4.02, we use the Web enrollment services to request a certificate. TEST D AY TIP If you are faced with a question on the exam that involves Web enrollment not being accessible, read through the scenario again to see if there is any mention of IIS being installed on the server. If IIS is not installed, you know that Web enroll- ment will not work. EXERCISE 4.02 U SING WEB ENROLLMENT TO REQUEST A CERTIFICATE In this exercise, we create a request for a Web server certificate. In order to perform this exercise, you need to have a server running Windows Server 2003 with certificate services installed. You can perform the exercise from either the server itself or another client with network connectivity to the server. Let’s begin the exercise by opening a Web browser window: 1. In the Address window of your Web browser, type http://localhost/certsrv and press Enter if you are doing this exercise from the server. If you are attempting the exercise from another machine, enter the name of the machine in place of localhost (for example, http://myCAserver/certsrv or http://mycaserver.mycompany.com/certsrv). 2. On the Microsoft Certification Services Welcome page, shown in Figure 4.17, click Request a certificate. 3. On the Request a Certificate page, click advanced certificate request. 4. On the Advanced Certificate Request page, click Create and submit a request to this CA. 5. Since we are going to be requesting a Web server certificate, click the drop-down list under Certificate Template and select Web Server. www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 223 272_70-296_04.qxd 9/26/03 11:02 AM Page 223 6. Next, enter the information for the offline template. This is the subject information that will be associated with the certificate, as illustrated in Figure 4.18. 7. For purposes of this exercise, you can leave the rest of the information as it is. Next, scroll to the bottom of the page and click the Submit button. If you receive a warning about a potential scripting violation, click Yes to continue. 8. The server will process the certificate and present you with an option to install the new certificate. At this stage, you could install the certificate on the appropriate Web server. The enrollment process is complete. www.syngress.com 224 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4.17 The Microsoft Certification Services Welcome Page Figure 4.18 Entering the Certificate Information 272_70-296_04.qxd 9/26/03 11:02 AM Page 224 Creating an Issuer Policy Statement We are discussing issuer policy statements as part of the installation process, but technically they need to be configured before certificate services is installed. By configuring your CA to present its policy statement, users can see the policy statement by viewing the CA’s certifi- cate and clicking Issuer Statement. However, for the policy statement to appear, the file CAPolicy.inf must be properly configured and placed in the systemroot directory (typically, C:\WINDOWS). Before you implement your issuer policy statement, it’s always a good idea to run it by upper management and legal staff as permitted, since the policy statement gives legal and other pertinent information about the CA and its issuing policies, as well as limitations of liability. For more information on issuer policy statements, visit www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win- dowsserver2003/proddocs/datacenter/sag_CS_Setup.asp. Figure 4.19 shows the issuer policy statement for www.verisign.com, an Internet CA. The following code shows a sample CAPolicy.inf file: [Version] Signature=”$Windows NT$” [CAPolicy] Policies=UsagePolicy [UsagePolicy] OID=1.1 Notice=”Certificates issued from this certification authority (CA) www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 225 Figure 4.19 The Issuer Policy Statement for VeriSign 272_70-296_04.qxd 9/26/03 11:02 AM Page 225 are intended for the sole usage of user authentication of Wally’s Tugboats employees. Any misuse of this system may be punishable by law.” EXAM WARNING For the exam, you need to remember the name of the issuer policy statement file, where the file is stored, and when in the CA installation process it should be cre- ated and placed in the directory. Managing Certificates Once you have configured your CA server, you’ll want to examine some of the various ways that you can manage your certificates. One of the biggest advantages of Windows Server 2003 is the range of management tools you have at your disposal. In this section, we take a look at four different aspects of managing certificates: ■ Managing certificate templates ■ Using autoenrollment ■ Importing and exporting certificates ■ Revoking certificates Managing Certificate Templates In a Windows PKI, certificate templates are used to assign certificates based on their intended use.When requesting a certificate from a Windows CA, a user is able to select from a variety of certificate types that are based on certificate templates.Templates take the decision-making process out of users’ hands and automate it based on the configuration of the template as defined by the systems administrator. Now, in Windows Server 2003, you also have the ability to modify and create certificate templates as needed. In Exercise 4.03, we duplicate an existing certificate template for use with autoenrollment. Before we move onto the exercise, let’s quickly recap the subject of certificate autoenrollment. Using Autoenrollment As we’ve discussed, autoenrollment is an excellent tool that Microsoft developed for PKI management in Windows Server 2003.Although it does reduce overall PKI management, autoenrollment can be a little tricky to configure. First, your Windows Server 2003 domain controller must also be configured as a root CA or an enterprise subordinate CA. In Exercise 4.03, we walk through the steps of configuring autoenrollment in your organization. www.syngress.com 226 Chapter 4 • Implementing PKI in a Windows Server 2003 Network 272_70-296_04.qxd 9/26/03 11:02 AM Page 226 [...]... 272 _70-296_ 05.qxd 9/26/03 12:32 PM Page 247 Chapter 5 MCSA/ MCSE 70-296 Managing User Authentication Exam Objectives in this Chapter: 8.1 Plan a user authentication strategy 8.1.1 Plan a smart card authentication strategy 8.1.2 Create a password policy for domain users Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives Frequently Asked Questions Self Test Self Test Quick Answer Key 247 ... www.syngress.com 245 272 _70-296_ 04. qxd 246 9/26/03 11:02 AM Page 246 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix 1 B 9 D 2 C 10 B 3 D 11 B 4 A, C, D, F 12 E 5 A, C, D, F 13 E 6 D 14 A, D, E, G, H... Intermediate CA Intermediate CA Intermediate CA Leaf Leaf Leaf CA CA CA Intermediate CA Leaf Leaf Leaf CA CA CA Leaf Leaf Leaf CA CA CA Leaf Leaf Leaf CA CA CA www.syngress.com 243 272 _70-296_ 04. qxd 244 9/26/03 11:02 AM Page 244 Chapter 4 • Implementing PKI in a Windows Server 2003 Network A Standalone CA B Chain of trust C CA hierarchy D CA tree 9 Denise, an employee in XYZ Corporation, is returning from... Server 2003 server, but after installation you are unable to open the Web enrollment Web site.What must you do in order to run Web enrollment on the server? www.syngress.com 241 272 _70-296_ 04. qxd 242 9/26/03 11:02 AM Page 242 Chapter 4 • Implementing PKI in a Windows Server 2003 Network A You must stop and restart certificate services or restart the computer before Web enrollment will work B You must run... template For our example, we duplicate the User template by right-clicking the User template and selecting Duplicate Template 3 In the Properties of the New Template window (see Figure 4. 21), enter User Autoenrollment in the Template Display Name window www.syngress.com 227 272 _70-296_ 04. qxd 228 9/26/03 11:02 AM Page 228 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4. 21 Properties... revoked certificates as well as Update certificates that use certificate templates and click OK www.syngress.com 229 272 _70-296_ 04. qxd 230 9/26/03 11:02 AM Page 230 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4. 24 The Autoenrollment Settings Properties Window 14 Close Active Directory Users and Computers Your PKI is now ready for certificate autoenrollment Importing and Exporting... common root CAs that exist outside your domain EXAM WARNING Remember that this discussion applies only to CAs that exist outside your organization Users and computers will already be aware of CAs that are part of your Windows Server 2003 environment and will trust them by default www.syngress.com 233 272 _70-296_ 04. qxd 2 34 9/26/03 11:02 AM Page 2 34 Chapter 4 • Implementing PKI in a Windows Server 2003... for automated renewal of certificates, allowing the entire certificate management process to remain in the background from the perspective of the user www.syngress.com 239 272 _70-296_ 04. qxd 240 9/26/03 11:02 AM Page 240 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Configuring Public Key Infrastructure within Active Directory In a Windows PKI, certificate templates are used to assign certificates... Certificates www.syngress.com 231 272 _70-296_ 04. qxd 232 9/26/03 11:02 AM Page 232 Chapter 4 • Implementing PKI in a Windows Server 2003 Network 3 In the details pane, right-click the Web server certificate for Wally’s Tugboats From the context menu, click All Tasks and then click Revoke Certificate 4 You will be prompted for a reason to revoke the certificate (see Figure 4. 26) Let’s assume that our certificate... Tasks | Import from the contect menu (see Figure 4. 25), and following the on-screen instructions Likewise, you can export a certificate by right-clicking the individual certificate and selecting Export from the context menu www.syngress.com 272 _70-296_ 04. qxd 9/26/03 11:02 AM Page 231 Implementing PKI in a Windows Server 2003 Network • Chapter 4 Figure 4. 25 Importing a Certificate Revoking Certificates . complete. www.syngress.com 2 24 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4. 17 The Microsoft Certification Services Welcome Page Figure 4. 18 Entering the Certificate Information 272 _70-296_ 04. qxd. the www.syngress.com Implementing PKI in a Windows Server 2003 Network • Chapter 4 219 EXAM 70-296 OBJECTIVE 5.1 272 _70-296_ 04. qxd 9/26/03 11:02 AM Page 219 components of a PKI, considered the decisions. domain. www.syngress.com 220 Chapter 4 • Implementing PKI in a Windows Server 2003 Network Figure 4. 13 The Windows Server 2003 Autorun Splash Screen 272 _70-296_ 04. qxd 9/26/03 11:02 AM Page 220 E XERCISE 4. 01 INSTALLING WINDOWS