Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

Published byAshlee Franklin Modified over 9 years ago

Similar presentations

Presentation on theme: "11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10."— Presentation transcript:

1 11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10

2 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION2 OVERVIEW  Describe public key encryption  Describe the contents of a certificate  Describe the function of a certificate authority (CA)  List the types of certificates a Microsoft Windows Server 2003 CA can issue  Describe public key encryption  Describe the contents of a certificate  Describe the function of a certificate authority (CA)  List the types of certificates a Microsoft Windows Server 2003 CA can issue

3 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION3 OVERVIEW (CONTINUED)  Describe the structure of a CA hierarchy  List the differences between enterprise and stand-alone CAs  Configure certificate parameters  Understand the benefits and limitations of password policies  Administer and troubleshoot authentication  Describe the structure of a CA hierarchy  List the differences between enterprise and stand-alone CAs  Configure certificate parameters  Understand the benefits and limitations of password policies  Administer and troubleshoot authentication

4 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION4 INTRODUCING THE PUBLIC KEY INFRASTRUCTURE  A PKI is a collection of software components and operational policies that govern the distribution and use of public and private keys using digital certificates.

5 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION5 UNDERSTANDING SECRET KEY ENCRYPTION

6 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION6 ENCRYPTING DATA

7 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION7 DIGITALLY SIGNING DATA  Digital signing refers to the process of using your private key to encrypt all or part of a piece of data.  Digitally signed data, encrypted with your private key, can be decrypted only by using your public key.  Digital signing prevents other users from impersonating you by sending data in your name.  Digital signing refers to the process of using your private key to encrypt all or part of a piece of data.  Digitally signed data, encrypted with your private key, can be decrypted only by using your public key.  Digital signing prevents other users from impersonating you by sending data in your name.

8 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION8 VERIFYING DATA  Hash values, or checksums, are used to guarantee the data has not been modified since the hash value was created.  The receiving system verifies the hash value to determine whether the data has been altered.  Hash values, or checksums, are used to guarantee the data has not been modified since the hash value was created.  The receiving system verifies the hash value to determine whether the data has been altered.

9 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION9 UNDERSTANDING CERTIFICATE CONTENTS  Digital certificates contain the public key for a particular entity plus information about the entity.  Almost all certificates conform to the standardization division of the International Telecommunication Union (ITU-T) standard X.509 (03/00), “The Directory: Public-Key and Attribute Certificate Frameworks.”  Standardization of certificate format is important; otherwise, exchange of certifications and keys would be difficult.  Digital certificates contain the public key for a particular entity plus information about the entity.  Almost all certificates conform to the standardization division of the International Telecommunication Union (ITU-T) standard X.509 (03/00), “The Directory: Public-Key and Attribute Certificate Frameworks.”  Standardization of certificate format is important; otherwise, exchange of certifications and keys would be difficult.

10 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION10 USING CERTIFICATES  Digital certificates are documents that verifiably associate a public key with a particular person or organization.  Certificates are obtained from an administrative entity called a certificate authority (CA).  The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s computer, and the public key is issued as part of a certificate.  Digital certificates are documents that verifiably associate a public key with a particular person or organization.  Certificates are obtained from an administrative entity called a certificate authority (CA).  The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s computer, and the public key is issued as part of a certificate.

11 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION11 USING INTERNAL AND EXTERNAL CERTIFICATE AUTHORITIES  For a certificate to be useful, it must be issued by an authority that both parties trust to verify each other’s identity.  Within an organization, you can use Windows Server 2003 Certificate Services, a service that enables the computer to function as a CA.  When communicating with external entities, a trusted third-party certificate issuer can be used.  For a certificate to be useful, it must be issued by an authority that both parties trust to verify each other’s identity.  Within an organization, you can use Windows Server 2003 Certificate Services, a service that enables the computer to function as a CA.  When communicating with external entities, a trusted third-party certificate issuer can be used.

12 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION12 UNDERSTANDING PUBLIC KEY INFRASTRUCTURE FUNCTIONS  With a PKI in place, you can  Publish certificates  Enroll clients  Use certificates  Renew certificates  Revoke certificates  With a PKI in place, you can  Publish certificates  Enroll clients  Use certificates  Renew certificates  Revoke certificates

13 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION13 DESIGNING A PUBLIC KEY INFRASTRUCTURE  Planning a PKI typically consists of the following basic steps:  Defining certificate requirements  Creating a CA infrastructure  Configuring certificates  Planning a PKI typically consists of the following basic steps:  Defining certificate requirements  Creating a CA infrastructure  Configuring certificates

14 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION14 DEFINING CERTIFICATE REQUIREMENTS  When designing a PKI, you must determine  What your client’s security needs are  How certificates can help fulfill those needs  Which users, computers, services, and applications will use certificates  What kinds of certificates your clients need  When designing a PKI, you must determine  What your client’s security needs are  How certificates can help fulfill those needs  Which users, computers, services, and applications will use certificates  What kinds of certificates your clients need

15 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION15 CREATING A CERTIFICATE AUTHORITY INFRASTRUCTURE

16 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION16 USING INTERNAL OR EXTERNAL CAS AdvantagesDisadvantages Internal CA  Direct control over certificates  No per-certificate fees  Can be integrated into Active Directory  Allows configuring and expanding PKI for minimal cost  Increased certificate management overhead  Longer, more complex deployment  Organization must accept liability for PKI failures  Limited trust by external customers External CA  Instills customers with greater confidence in the organization  Provider liable for PKI failures  Expertise needed in the technical and legal ramifications of certificate use  Reduced management overhead  High cost per certificate  No auto-enrollment possible  Less flexibility in configuring and managing certificates  Limited integration with the organization’s infrastructure

17 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION17 HOW MANY CERTIFICATE AUTHORITIES?  A single CA running on Windows Server 2003 can support as many as 35 million certificates and can issue 2 million or more a day, depending on the system specifications.  System performance is a factor in determining how many CAs should be implemented. Issuing certificates can be disk and processor intensive.  Multiple CAs can be implemented for fault tolerance or load-distribution reasons.  A single CA running on Windows Server 2003 can support as many as 35 million certificates and can issue 2 million or more a day, depending on the system specifications.  System performance is a factor in determining how many CAs should be implemented. Issuing certificates can be disk and processor intensive.  Multiple CAs can be implemented for fault tolerance or load-distribution reasons.

18 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION18 CREATING A CERTIFICATE AUTHORITY HIERARCHY

19 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION19 UNDERSTANDING WINDOWS SERVER 2003 CERTIFICATE AUTHORITY TYPES  Enterprise CAs:  Are integrated into Active Directory  Can be used only by Active Directory clients  Stand-alone CAs:  Do not automatically respond to certificate enrollment requests  Are intended for users outside the enterprise that submit requests for certificates  Enterprise CAs:  Are integrated into Active Directory  Can be used only by Active Directory clients  Stand-alone CAs:  Do not automatically respond to certificate enrollment requests  Are intended for users outside the enterprise that submit requests for certificates

20 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION20 CONFIGURING CERTIFICATES  Criteria to consider when configuring certificates include the following:  Certificate type  Encryption key length and algorithm  Certificate lifetime  Renewal policies  Criteria to consider when configuring certificates include the following:  Certificate type  Encryption key length and algorithm  Certificate lifetime  Renewal policies

21 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION21 MANAGING CERTIFICATES  Certificate enrollment and renewal  Manually requesting certificates  Revoking certificates  Certificate enrollment and renewal  Manually requesting certificates  Revoking certificates

22 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION22 UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL Autoenrollment:  The CA determines whether a certificate request is valid and issues or denies a certificate accordingly. Only occurs on Enterprise CAs in an Active Directory environment. Manual enrollment:  An administrator monitors the CA for incoming requests and determines whether a certificate should be issued on a request-by-request basis. Used by stand-alone CAs. Autoenrollment:  The CA determines whether a certificate request is valid and issues or denies a certificate accordingly. Only occurs on Enterprise CAs in an Active Directory environment. Manual enrollment:  An administrator monitors the CA for incoming requests and determines whether a certificate should be issued on a request-by-request basis. Used by stand-alone CAs.

23 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION23 USING AUTOENROLLMENT

24 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION24 USING MANUAL ENROLLMENT  When using stand-alone CAs, the administrator must grant or deny requests for certificates through the Certification Authority console.  Incoming certificate enrollment requests appear in the Pending Requests folder.  The administrator must check the folder on a regular basis.  When using stand-alone CAs, the administrator must grant or deny requests for certificates through the Certification Authority console.  Incoming certificate enrollment requests appear in the Pending Requests folder.  The administrator must check the folder on a regular basis.

25 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION25 MANUALLY REQUESTING CERTIFICATES  Manual enrollment can be performed in two ways:  Using the Certificates snap-in  Using Web enrollment  Manual enrollment can be performed in two ways:  Using the Certificates snap-in  Using Web enrollment

26 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION26 USING THE CERTIFICATES SNAP-IN

27 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION27 USING WEB ENROLLMENT

28 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION28 REVOKING CERTIFICATES  Several conditions can prompt an administrator to revoke a certificate:  If a private key is compromised  If it is suspected or proved that an unauthorized user has gained access to the CA  If the administrator wants to issue a certificate using different parameters (such as longer keys)  Several conditions can prompt an administrator to revoke a certificate:  If a private key is compromised  If it is suspected or proved that an unauthorized user has gained access to the CA  If the administrator wants to issue a certificate using different parameters (such as longer keys)

29 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION29 SECURING AND TROUBLESHOOTING AUTHENTICATION  User names and password combinations remain the predominant method of authentication.  The relatively insecure nature of user names and passwords requires that policies be in place to regulate and monitor their use.  System and network administrators often spend a large amount of time dealing with authentication-related issues and tasks.  User names and password combinations remain the predominant method of authentication.  The relatively insecure nature of user names and passwords requires that policies be in place to regulate and monitor their use.  System and network administrators often spend a large amount of time dealing with authentication-related issues and tasks.

30 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION30 SECURING AUTHENTICATION WITH POLICY  Active Directory in Windows Server 2003 supports security policies to strengthen passwords and their use.  Policies should be sufficiently daunting to attackers while being sufficiently convenient for users.  Only the Default Domain Policy influences domain account policy.  Active Directory in Windows Server 2003 supports security policies to strengthen passwords and their use.  Policies should be sufficiently daunting to attackers while being sufficiently convenient for users.  Only the Default Domain Policy influences domain account policy.

31 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION31 PASSWORD POLICY  Password policy:  Prevents reuse of the same password  Defines how often users must or can change their password  Defines the minimum number of characters in a password  Defines what constitutes a strong password  Password policy:  Prevents reuse of the same password  Defines how often users must or can change their password  Defines the minimum number of characters in a password  Defines what constitutes a strong password

32 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION32 ACCOUNT LOCKOUT POLICY  Account Lockout Policy:  Defines how many invalid logon attempts are allowed before the account is locked out  Determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user’s account  Specifies the time that must pass after an invalid logon attempt before the counter of invalid logon attempts resets to zero  Account Lockout Policy:  Defines how many invalid logon attempts are allowed before the account is locked out  Determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user’s account  Specifies the time that must pass after an invalid logon attempt before the counter of invalid logon attempts resets to zero

33 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION33 CROSS-PLATFORM ISSUES  In environments with computers running Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0, administrators must be aware of several issues:  Windows 95, Windows 98, and Windows Millennium Edition support only 14-character passwords.  Systems that run Windows 95, Windows 98, Windows Millennium Edition, and Windows NT 4.0 require Active Directory client software to access the full functionality of directory services.  Certain features are not provided by the Active Directory client in Windows 95, Windows 98, and Windows NT 4.0.  In environments with computers running Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0, administrators must be aware of several issues:  Windows 95, Windows 98, and Windows Millennium Edition support only 14-character passwords.  Systems that run Windows 95, Windows 98, Windows Millennium Edition, and Windows NT 4.0 require Active Directory client software to access the full functionality of directory services.  Certain features are not provided by the Active Directory client in Windows 95, Windows 98, and Windows NT 4.0.

34 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION34 AUDITING AUTHENTICATION  Auditing of authentication can alert you to unauthorized attempts to access the system.  In low-security environments, it should be necessary to audit only failed logon attempts.  In high-security environments, recording successful logon attempts in addition can provide records of who accessed the system and when.  Auditing of authentication can alert you to unauthorized attempts to access the system.  In low-security environments, it should be necessary to audit only failed logon attempts.  In high-security environments, recording successful logon attempts in addition can provide records of who accessed the system and when.

35 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION35 AUDIT POLICIES  Audit policies allow you to record the following:  Successful and failed logon attempts to Active Directory  Account management tasks, including the creation and deletion of user accounts  Successful and failed logon attempts to the local system  Audit policies allow you to record the following:  Successful and failed logon attempts to Active Directory  Account management tasks, including the creation and deletion of user accounts  Successful and failed logon attempts to the local system

36 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION36 SECURITY EVENT LOG  Audit events are recorded in the Security log of Event Viewer on the system where the audit event took place.  Account Logon events must be monitored on each domain controller.  If enabled, Logon events must be monitored on the system on which the Logon event occurred.  Audit events are recorded in the Security log of Event Viewer on the system where the audit event took place.  Account Logon events must be monitored on each domain controller.  If enabled, Logon events must be monitored on the system on which the Logon event occurred.

37 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION37 ADMINISTERING AND TROUBLESHOOTING AUTHENTICATION  Common administrative tasks include the following:  Unlocking a user account  Resetting user passwords  Disabling, enabling, renaming, and deleting user objects  Common administrative tasks include the following:  Unlocking a user account  Resetting user passwords  Disabling, enabling, renaming, and deleting user objects

38 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION38 SUMMARY  A PKI is a collection of software components and operational policies that govern the distribution and use of public and private keys.  Certificates are issued by a CA.  The first step in planning a PKI is to study the security enhancements certificates provide and determine which security requirements you can satisfy with them.  When running multiple CAs in an enterprise, you configure them in a hierarchy.  Certificates can be configured to match the requirements of the organization.  Only enterprise CAs can use autoenrollment.  A PKI is a collection of software components and operational policies that govern the distribution and use of public and private keys.  Certificates are issued by a CA.  The first step in planning a PKI is to study the security enhancements certificates provide and determine which security requirements you can satisfy with them.  When running multiple CAs in an enterprise, you configure them in a hierarchy.  Certificates can be configured to match the requirements of the organization.  Only enterprise CAs can use autoenrollment.

39 Chapter 10: CERTIFICATE SERVICES AND SECURE AUTHENTICATION39 SUMMARY (CONTINUED)  For a client to receive certificates using autoenrollment, it must have permission to use the certificate template for the type of certificate it is requesting.  Stand-alone CAs do not use certificates or autoenrollment. Certificate requests are stored in a queue on the CA until an administrator approves or denies them.  CAs publish CRLs at regular intervals to inform authenticating computers of certificates they should no longer honor.  The Default Domain Policy drives account policies, including the Password policy and Account Lockout Policy.  The Default Domain Controllers Policy specifies key auditing policies for domain controllers.  Auditing for authentication generates events in each domain controller’s Security logs.  For a client to receive certificates using autoenrollment, it must have permission to use the certificate template for the type of certificate it is requesting.  Stand-alone CAs do not use certificates or autoenrollment. Certificate requests are stored in a queue on the CA until an administrator approves or denies them.  CAs publish CRLs at regular intervals to inform authenticating computers of certificates they should no longer honor.  The Default Domain Policy drives account policies, including the Password policy and Account Lockout Policy.  The Default Domain Controllers Policy specifies key auditing policies for domain controllers.  Auditing for authentication generates events in each domain controller’s Security logs.

Download ppt "11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Similar presentations

Ads by Google