Maintaining Network Health

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services
Chapter 9 Deploying IIS and Active Directory Certificate Services
Agenda Introduction Network Access Protection platform architecture
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services
Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.
Configuring Active Directory Certificate Services Lesson 13.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Clinic Security and Policy Enforcement in Windows Server 2008.
Chapter 10: Authentication Guide to Computer Network Security.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.
Hands-On Microsoft Windows Server 2008
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Module 8: Configuring Network Access Protection
Configuring Directory Certificate Services Lesson 13.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Name Resolution and Additional Services Lesson 12.
Configuring Network Access Protection
70-412: Configuring Advanced Windows Server 2012 services
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
TAG Presentation 18th May 2004 Paul Butler
Key management issues in PGP
Basharat Institute of Higher Education
Maintaining Windows Server 2008 File Services
Module Overview Installing and Configuring a Network Policy Server
Cryptography and Network Security
Implementing Network Access Protection
TAG Presentation 18th May 2004 Paul Butler
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
THE STEPS TO MANAGE THE GRID
Server-to-Client Remote Access and DirectAccess
Goals Introduce the Windows Server 2003 family of operating systems
Lecture 4 - Cryptography
Module 8: Securing Network Traffic by Using IPSec and Certificates
Install AD Certificate Services
Security and identity (Network Access Protection, Parental Controls)
Presentation transcript:

Maintaining Network Health Lesson 10

Skills Matrix Understanding the Components of NAP Technology Skill Objective Domain Objective # Understanding the Components of NAP Configure Network Access Protection (NAP) 3.2

Public Key Infrastructure Public key infrastructure (PKI) consists of a number of elements that allow two parties to communicate securely, without any previous communication, through the use of a mathematical algorithm called public key cryptography. Public key cryptography, as the name implies, stores a piece of information called a public key for each user, computer, and so on that is participating in a PKI.

Public Key Infrastructure Each user, computer, and so on also possesses a private key, a piece of information that is known only to the individual user or computer. By combining the well-known and easily obtainable public key with the hidden and well-secured private key, one entity (you, for example) can communicate with another entity (a secured Web site, for example) in a secure fashion without exchanging any sort of shared secret key beforehand. A shared secret key is a secret piece of information that is shared between two parties prior to being able to communicate securely.

Certificate Authority (CA) A Certificate Authority (CA) is an entity, such as a Windows Server 2008 server running the AD CS server role, that issues and manages digital certificates for use in a PKI. CAs are hierarchical, which means that many subordinate CAs within an organization can chain upwards to a single root CA that is authoritative for all Certificate Services within a given network. Many organizations use a three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers.

Sometimes just called a certificate. Digital Certificate Sometimes just called a certificate. This digital document contains identifying information about a particular user, computer, service, and so on. The digital certificate contains the certificate holder’s name and public key, the digital signature of the Certificate Authority that issued the certificate, as well as the certificate’s expiration date. Emphasize the public/private key concept and when the public key is accessed by a user to read a message. Then emphasize that the digital certificate that can be retrieved from a CA holds the public key.

Digital Signature This electronic signature (created by a mathematical equation) proves the identity of the entity that has signed a particular document. Like a personal signature on a paper document, when an entity signs a document electronically it certifies that the document originated from the person or entity in question. In cases where a digital signature is used to sign something like an email message, a digital signature also indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox. Signatures prove who they come from.

Certificate Practice Statement and Certificate Revocation List Certificate Practice Statement (CPS) Provides a detailed explanation of how a particular CA manages certificates and keys. Certificate Revocation List (CRL) This list identifies certificates that have been revoked or terminated, as well as the corresponding user, computer, or service. Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date.

Certificate Templates Templates used by a CA to simplify the administration and issuance of digital certificates. This is similar to how templates can be used in other applications, such as office productivity suites, or when creating objects within Active Directory.

Self-Enrollment and Enrollment Agents As the name suggests, this feature enables users to request their own PKI certificates, typically through a Web browser. Enrollment agents These are used to request certificates on behalf of a user, computer, or service if self-enrollment is not practical or is otherwise an undesirable solution for reasons of security, auditing, and so on. An enrollment agent typically consists of a dedicated workstation that is used to install certificates onto smart cards, thus preconfiguring a smart card for each person’s use.

Autoenrollment This PKI feature supported by Windows Server 2003 and later allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory. Because this feature is only supported in Windows Server 2003 or later, certificate templates that are based on Windows 2000 will not allow autoenrollment to maintain backwards compatibility.

Recovery Agent These agents are configured within a CA to allow one or more users (typically administrators) to recover private keys for users, computers, or services if their keys are lost. For example, if a user’s hard drive crashes and the user has not backed up the private key, any information that the user has encrypted using the certificate will be inaccessible until a recovery agent retrieves the user’s private key.

Key Archival This is the process by which private keys are maintained by the CA for retrieval by a recovery agent, if at all. Most commercial CAs do not allow key archival; if a customer loses a private key and has not taken a backup, the user needs to purchase a new certificate. In a Windows PKI implementation, users’ private keys can be stored within Active Directory to simplify and automate both the enrollment and retrieval processes.

Windows Server 2008 and Certificate Services Within Windows Server 2008, the Active Directory Certificate Services server role consists of the following services and features: Web enrollment. Online Responder. Online Certificate Status Protocol (OCSP).

Web Enrollment This feature allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.

Online Responder This service responds to requests from clients concerning the revocation status of a particular certificate, sending back a digitally signed response indicating the certificate’s current status. The Online Responder uses the Online Certificate Status Protocol (OCSP) to return certificate status information to the requester. This protocol is used to respond to queries from clients who have requested data about the status of a PKI certificate that has been issued by a particular CA.

Network Device Enrollment Services (NDES) This service allows devices, such as hardware-based routers and other network devices and appliances, to enroll for certificates within a Windows Server 2008 PKI that might not otherwise be able to do so. This service enrolls these devices for PKI certificates using the Simple Certificate Enrollment Protocol (SCEP), a network protocol that allows network devices to enroll for PKI certificates.

When deploying a Windows-based PKI, two types of CAs can be deployed: Standalone CA. Enterprise CA.

A standalone CA is not integrated with Active Directory. It requires administrator intervention to respond to certificate requests. You can use a standalone CA as both a root and a subordinate CA in any PKI infrastructure.

An enterprise CA integrates with an Active Directory domain. It can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database. You can use an enterprise CA as both a root and a subordinate CA in any PKI infrastructure.

Selecting the CA Setup Type

Revocation Configuration In Windows Server 2008, you can configure one or more Online Responders to make revocation information available for one or more CAs. To enable this, each individual CA must be configured with its own revocation configuration so that Online Responders can provide the correct information to clients using the OCSP. The Online Responder can be installed on any server running Windows Server 2008 Enterprise or Datacenter editions, while the certificate revocation information can come from any 2003, 2008, or even non-Microsoft CAs.

Adding a Revocation Configuration

Selecting an OCSP Signing Certificate

Managing Certificate Enrollments Using a Windows Server 2008 CA, you can manage certificate enrollment in a number of ways depending on the needs of your organization.

Managing Certificate Enrollments In a Windows Server 2008 Active Directory environment, you can automate the distribution of PKI certificates using any combination of the following features: Certificate templates can be used to automate the deployment of PKI certificates by controlling the security settings associated with each template. Group Policy can be used to establish autoenrollment settings for an Active Directory domain (User Configuration\Windows Settings\Security Settings\Public Key Policies or Computer Configuration\Windows Settings\Security Settings\Public Key Policies nodes).

Making Certificate Enrollments In a non-Active Directory environment, clients can enroll manually for certificates using either of the following: The Certificate Request Wizard allows a user to manually create a certificate request file using the Certificates MMC snap-in. This wizard creates a request file that can be used by the Certification Authority MMC to generate a certificate based on the request. Certification Authority Web Enrollment allows users to manually request certificates using a Web interface, located by default at https://<CA Name/certsrv on a CA that is running the Certification Authority Web Enrollment role service.

Key Archival and Recovery One of the challenges of managing PKI certificates in an enterprise environment is users losing the private keys associated with their certificates. This risk can be alleviated in an Active Directory environment by the use of key archival on one or more CAs, which will store an escrow copy of each certificate's private key on the CA in case it needs to be restored for any reason. This escrow copy of a private key can be restored by one or more key recovery agents, user accounts that are configured with a Key Recovery Agent certificate that allows them to perform this sensitive task.

Maintaining a Windows Server 2008 CA In Windows Server 2008, you can assign users to one or more of the following predefined security roles within Certificate Services: CA Administrator. Certificate Managers. Backup Operators. Auditors.

Network Access Protection One of the greatest challenges faced by administrators in securing corporate networks is in protecting corporate networks from “unhealthy” computers on the network. Network Access Protection is a solution that controls access to corporate network resources based on the identity of the computer attempting to connect to the resource, as well as the connecting computer’s compliance with corporate policies and standards such as software update levels, Windows Firewall configurations, and the like.

Network Access Protection Network Access Protection includes a number of built-in enforcement methods, which define the mechanisms that NAP can use: DHCP enforcement. Internet Protocol Security (IPSec) enforcement. VPN enforcement. 802.1X enforcement. Terminal Services Gateway (TS Gateway) enforcement.

DHCP Enforcement This enforcement method uses DHCP configuration information to ensure that NAP clients remain in compliance If a NAP client is out of compliance, NAP will instruct the DHCP server to provide a DHCP configuration to the client that will limit its network access until the compliance issue is resolved.

Internet Protocol Security (IPSec) Enforcement This enforcement method uses IPSec that has been secured by specially configured PKI certificates known as health certificates, which are issued to clients that meet defined compliance standards. If clients cannot provide the necessary health certificate, they will not be able to participate in IPSec-secured traffic.

VPN enforcement This enforcement method restricts the level of network access that a remote access client can obtain, based on the health information that the clients presents when the VPN connection is made. For example, you may define a NAP policy in which corporate laptops receive full network access upon creating a VPN connection, whereas clients connecting to VPN using their home computers will receive access only to a limited subset of corporate resources.

802.1X enforcement This enforcement method uses 802.1X-aware network access points, such as network switches or wireless access points, to restrict network access of noncompliant resources.

Terminal Services Gateway (TS Gateway) enforcement This enforcement method integrates with new Terminal Services functionality that is built into Windows Server 2008 that allows authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device. NAP can restrict connection attempts by TS Gateway clients just as with other enforcement methods.

The overall architecture of NAP involves the following components: Components of NAP The overall architecture of NAP involves the following components: NAP client-side components. NAP Enforcement Client (EC) components: One or more System Health Agents (SHSs) Client side API for both the enforcment Client and System Health Agent components. The NAP Agent

Components of NAP NAP server-side components. NAP Enforcement Server (ES). One or more System Health Validators (SHVs). A NAP Health policy server. NAP administration server. NPS service. Health requirement servers. Remediation servers (optional).

Getting Started Screen for Installing NPS

Selecting the Network Connection Method

Define NAP Health Policy

Defining Windows Server Health Validator Policy

Summary The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.

Summary A PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.

Summary PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA. A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

Summary Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List. The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

Summary When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.

Summary An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow for auto-enrollment of digital certificates, as well as store digital certificates within the Active Directory database for easy retrieval by users and devices.

Summary Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.

Summary NAP can be configured with one of four built-in enforcement mechanisms: DHCP, 802.1X, IPSec, and VPN. The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators (SHVs) within the NAP server architecture.