1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2
2 Agenda Background PKI Enhancements Server consolidation Improved existing scenarios HTTP based enrollment Strong Authentication Enhancements
Windows PKI Today A strategic investment Windows 2000, Windows XP, Windows Vista and keep on investing Existing abilities: Server role: CA, OCSP, SCEP Client components: API, UI, Client services Active Directory integration Protocols and application adoption For more info
PKI Trends Governments – the biggest cert issuers!!! SMBs need PKI solution Enterprises need PKI for heterogeneous environments Applications use certificates as authorization tokens (short validity period) Industry extends usage of X.509 certificates Extended Validation (EV) certificates Logo types Advanced crypto is picking up
Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication
Server Consolidation Not persistent requests New PKI Scenarios use short-lived certificates Network Access Protection (NAP) OCSP signing certificates Existing workarounds for DB growth: dedicated servers or high management cleanup cost Windows Server 2008 R2 Administrator can configure whether the CA writes to the database
Server Consolidation Not persistent requests
Server Consolidation Server core support CA is supported on Server Core Local command line utilities Remote UX management Key management by HSM vendor No other ADCS service is supported on Server Core
9 Server Consolidation Cross Forest Enrollment
How does it work today? Single forest 1. CA starts and reads certificate templates from AD 2. Client reads certificate templates from AD 3. Client sends enrollment request to CA 4. CA constructs Subject information based on client object in AD 5. CA issues certificate and returns to client CA Active Directory (AD) Client Workstations
How does it work today? Multiple forests Multiple forests implies: Multiple servers Multiple CA keys Multiple HSM Multiple certificate databases Etc.
How will it work? Cross forest enrollment Account Forest Active Directory Client Workstations Resource Forest CA Active Directory (AD) Client Workstations
Server Consolidation Cross forest enrollment Windows will support certificate enrollment and issuance across AD forest boundaries Requires AD forest two-way trust between account and resource forest Requires Windows Server 2008 R2 CA Requires Windows XP and above
Server Consolidation Cross forest enrollment: management CA reads templates from the resource forest Client reads templates from account forest This require manual steps to make sure templates are in sync Initial consolidation Ongoing synchronization Best Practice Whitepaper For PKI Consolidation
15 Server Consolidation 1. Simplify management for NAP deployment 2. Support CA installations on Server Core 3. Support Cross Forest Enrollment
Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication
Improved Existing Scenarios Standard SKU supports V2 templates W2K introduced V1 certificate templates W2K3 introduced V2 certificate templates Not supported on W2K3 Standard Edition W2K8 introduced V3 certificate templates Not supported on W2K8 Standard Edition CA installed on Windows Server 2008 R2 Standard Edition supports all certificate template versions Supports auto enrollment Supports key archival Etc.
Improved Existing Scenarios Best practice analyzer Most of PKI support calls are caused by configuration issues Windows Server 2008 R2 introduces Best Practice Analyzer (BPA) tool CA defines rules that can be checked by the BPA tool after each CA configuration change
Improved Existing Scenarios Best practice analyzer
Improved Existing Scenarios Certificate selection Windows Vista Removed duplicate and archived certificates Icons to differentiate software vs. smartcard certificates
Improved Existing Scenarios Enterprise SSL EV certificate Mark an enterprise root CA as an extended validation (EV) root and add the EV policy OID Configurable through group policy
22 Improve Existing Scenarios 1. V2 Certificate Templates 2. Best Practice Analyzer 3. Certificate Selection 4. Enterprise SSL EV Certificate
Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication
HTTP Based Enrollment Design goal Enable new scenarios to leverage the Windows PKI client 1. Server certificates issued by a public CA 2. Issuance across company boundary Partnership scenario 3. Issuance to non-domain-joined machines 4. B2C issuance My bank issues me certificates 5. And more…
HTTP Based Enrollment Design overview Specified two new http based protocols for certificate enrollment Implemented client services on top of new protocols Implemented server side for these new protocols Work (in progress) with related ISVs to provide interoperable solutions
26 HTTP Based Enrollment CA Active Directory (AD) Client Workstations Certificate Enrollment Policy WS Certificate Enrollment WS HTTP Only
HTTP Based Enrollment Auto-enrollment enhancements Ensure the system has a valid certificate for each one of the enrollment policies that are configured for the end entity Implements client role for both protocols Maintains list of policy server URI’s Maintains a cache of the enrollment policies returned from all policy servers Runs on non-domain-joined machines
HTTP Based Enrollment Authentication Windows client will use the same authentication mechanism for policy and enrollment servers Kerberos Username/Password Certificate based Supports credentials storage (optional) Implements renewal through proof of possession Requires SSL
29 HTTP Based Enrollment Enrollment policies UX
30 HTTP Based Enrollment Enrollment wizard Added additional step to the Enrollment Wizard
31 HTTP Based Enrollment Group policy UX Allows admins to publish Policy Servers to client machines Ensures the policy server URI is valid Same UX is used on client machines to configure local policy and users configured entries
32 HTTP Based Enrollment Cross forest support CA Active Directory (AD) Client Workstations Certificate Enrollment Policy WS Certificate Enrollment WS Active Directory (AD) Account Forest Account Forest Resource Forest
HTTP Based Enrollment Web server scenario: enrollment and renewal Admin logs on to a web server Admin opens IE browses to public CA web site and creates an account Admin clicks OK to elevation dialog: Set policy server URL in the local policy store Set credentials for policy server (admin or control) Enroll for this policy server Dynamic Enrollment policy After enrollment is done, certificate installed
HTTP Based Enrollment Web server scenario: recover from revocation System configured with Policy Server Entry Cached U/P credentials Enabled for Auto-Enrollment CA revokes the system’s certificate and publish new CRL Within eight hours after old CRL expire: AE downloads new CRL AE marks existing cert as revoked AE retrieves policies from policy server and enrolls for a new certificate
HTTP Based Enrollment Web server scenario: dynamic policy updates System configured with Policy Server One enrollment policy for SSL 1Year 1024 key size Policy needs to be updated every week CA increases key size to 2048 and update the revision number on the enrollment policy object Within a week: AE downloads new policies AE marks existing cert as archived AE enrolls for a new certificate
Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication
Strong Authentication Biometric New platform for Biometric Devices Focused on fingerprint based authN in consumer scenarios New driver model and basis for future certification program Integrated user experience Windows logon, local and domain Device and feature discovery Enterprise management Disable Windows Biometric Framework via Group Policy Allow use for applications but not for domain logon
Strong Authentication SmartCard Smart card Plug-and-Play Windows Update and WSUS/SUS based driver installation Pre-Logon driver installation Non-Admin based driver installation Smart card class mini-driver NIST SP (PIV) support INCITS GICS (Butterfly) support Windows 7 Smartcard Framework improvements Improved support for Biometric Based Smart card unlock New APIs enabling Secure Key Injection
Strong Authentication ECC based Smartcard logon Windows 7 supports: smartcard enrollment for ECC certificate logon with ECC based certificate
Strong Authentication Strong authentication based access control ‘Smart card required’ for remote access checks Admin: Associate Group SID with an Issuance Policy OID Admin: Configure logon certificate template with the issuance policy OID above Admin: Restrict access to a remote object using the Group SID used in the first step above User: logon with a certificate based on the certificate template above Kerberos will add the group SID to the user token
41 Strong Authentication 1. Biometric 2. Smartcard
Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication
43
44 Related Content IDA02-ILL: Setting Up and Configuring Active Directory Certificate Services (AD CS) November 5 09: :15 November 5 09: :15 November 6 16: :35 November 6 16: :35 IDA04-IS: All You Ever Wanted to Ask about Designing and Operating an Enterprise PKI November 6 14: :55
45 With an amazing line up of international speakers, there are even more chances to win an evaluation prize! So make sure you submit feedback for all the sessions you attend! Don’t forget to complete your session feedback forms via the CommNet terminals or the Registered Delegate Pages for your chance to win a HTC Touch Dual! Now extended from 2 to 24 hours after session for more chance to WIN
Tech·TalksTech·Ed Bloggers Live SimulcastsVirtual Labs Evaluation licenses, pre-released products, and MORE! Resources for IT Professionals 46
47 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.