Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2.

Published byLoraine Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2."— Presentation transcript:

1 1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2

2 2 Agenda Background PKI Enhancements Server consolidation Improved existing scenarios HTTP based enrollment Strong Authentication Enhancements

3 Windows PKI Today A strategic investment Windows 2000, Windows XP, Windows Vista and keep on investing Existing abilities: Server role: CA, OCSP, SCEP Client components: API, UI, Client services Active Directory integration Protocols and application adoption For more info http://technet.microsoft.com/en-us/library/cc753254.aspx http://technet.microsoft.com/en-us/library/cc770357.aspx

4 PKI Trends Governments – the biggest cert issuers!!! SMBs need PKI solution Enterprises need PKI for heterogeneous environments Applications use certificates as authorization tokens (short validity period) Industry extends usage of X.509 certificates Extended Validation (EV) certificates Logo types Advanced crypto is picking up

5 Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication

6 Server Consolidation Not persistent requests New PKI Scenarios use short-lived certificates Network Access Protection (NAP) OCSP signing certificates Existing workarounds for DB growth: dedicated servers or high management cleanup cost Windows Server 2008 R2 Administrator can configure whether the CA writes to the database

7 Server Consolidation Not persistent requests

8 Server Consolidation Server core support CA is supported on Server Core Local command line utilities Remote UX management Key management by HSM vendor No other ADCS service is supported on Server Core

9 9 Server Consolidation Cross Forest Enrollment

10 How does it work today? Single forest 1. CA starts and reads certificate templates from AD 2. Client reads certificate templates from AD 3. Client sends enrollment request to CA 4. CA constructs Subject information based on client object in AD 5. CA issues certificate and returns to client CA Active Directory (AD) Client Workstations 1 3 2 4 5

11 How does it work today? Multiple forests Multiple forests implies: Multiple servers Multiple CA keys Multiple HSM Multiple certificate databases Etc.

12 How will it work? Cross forest enrollment Account Forest Active Directory Client Workstations Resource Forest CA Active Directory (AD) Client Workstations 1 3 2 4 5

13 Server Consolidation Cross forest enrollment Windows will support certificate enrollment and issuance across AD forest boundaries Requires AD forest two-way trust between account and resource forest Requires Windows Server 2008 R2 CA Requires Windows XP and above

14 Server Consolidation Cross forest enrollment: management CA reads templates from the resource forest Client reads templates from account forest This require manual steps to make sure templates are in sync Initial consolidation Ongoing synchronization Best Practice Whitepaper For PKI Consolidation

15 15 Server Consolidation 1. Simplify management for NAP deployment 2. Support CA installations on Server Core 3. Support Cross Forest Enrollment

16 Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication

17 Improved Existing Scenarios Standard SKU supports V2 templates W2K introduced V1 certificate templates W2K3 introduced V2 certificate templates Not supported on W2K3 Standard Edition W2K8 introduced V3 certificate templates Not supported on W2K8 Standard Edition CA installed on Windows Server 2008 R2 Standard Edition supports all certificate template versions Supports auto enrollment Supports key archival Etc.

18 Improved Existing Scenarios Best practice analyzer Most of PKI support calls are caused by configuration issues Windows Server 2008 R2 introduces Best Practice Analyzer (BPA) tool CA defines rules that can be checked by the BPA tool after each CA configuration change

19 Improved Existing Scenarios Best practice analyzer

20 Improved Existing Scenarios Certificate selection Windows Vista Removed duplicate and archived certificates Icons to differentiate software vs. smartcard certificates

21 Improved Existing Scenarios Enterprise SSL EV certificate Mark an enterprise root CA as an extended validation (EV) root and add the EV policy OID Configurable through group policy

22 22 Improve Existing Scenarios 1. V2 Certificate Templates 2. Best Practice Analyzer 3. Certificate Selection 4. Enterprise SSL EV Certificate

23 Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication

24 HTTP Based Enrollment Design goal Enable new scenarios to leverage the Windows PKI client 1. Server certificates issued by a public CA 2. Issuance across company boundary Partnership scenario 3. Issuance to non-domain-joined machines 4. B2C issuance My bank issues me certificates 5. And more…

25 HTTP Based Enrollment Design overview Specified two new http based protocols for certificate enrollment Implemented client services on top of new protocols Implemented server side for these new protocols Work (in progress) with related ISVs to provide interoperable solutions

26 26 HTTP Based Enrollment CA Active Directory (AD) Client Workstations 1 3 2 5 4 1 6 7 Certificate Enrollment Policy WS Certificate Enrollment WS HTTP Only

27 HTTP Based Enrollment Auto-enrollment enhancements Ensure the system has a valid certificate for each one of the enrollment policies that are configured for the end entity Implements client role for both protocols Maintains list of policy server URI’s Maintains a cache of the enrollment policies returned from all policy servers Runs on non-domain-joined machines

28 HTTP Based Enrollment Authentication Windows client will use the same authentication mechanism for policy and enrollment servers Kerberos Username/Password Certificate based Supports credentials storage (optional) Implements renewal through proof of possession Requires SSL

29 29 HTTP Based Enrollment Enrollment policies UX

30 30 HTTP Based Enrollment Enrollment wizard Added additional step to the Enrollment Wizard

31 31 HTTP Based Enrollment Group policy UX Allows admins to publish Policy Servers to client machines Ensures the policy server URI is valid Same UX is used on client machines to configure local policy and users configured entries

32 32 HTTP Based Enrollment Cross forest support CA Active Directory (AD) Client Workstations 1 3 2 5 4 1 6 7 Certificate Enrollment Policy WS Certificate Enrollment WS Active Directory (AD) Account Forest Account Forest Resource Forest

33 HTTP Based Enrollment Web server scenario: enrollment and renewal Admin logs on to a web server Admin opens IE browses to public CA web site and creates an account Admin clicks OK to elevation dialog: Set policy server URL in the local policy store Set credentials for policy server (admin or control) Enroll for this policy server Dynamic Enrollment policy After enrollment is done, certificate installed

34 HTTP Based Enrollment Web server scenario: recover from revocation System configured with Policy Server Entry Cached U/P credentials Enabled for Auto-Enrollment CA revokes the system’s certificate and publish new CRL Within eight hours after old CRL expire: AE downloads new CRL AE marks existing cert as revoked AE retrieves policies from policy server and enrolls for a new certificate

35 HTTP Based Enrollment Web server scenario: dynamic policy updates System configured with Policy Server One enrollment policy for SSL 1Year 1024 key size Policy needs to be updated every week CA increases key size to 2048 and update the revision number on the enrollment policy object Within a week: AE downloads new policies AE marks existing cert as archived AE enrolls for a new certificate

36 Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication

37 Strong Authentication Biometric New platform for Biometric Devices Focused on fingerprint based authN in consumer scenarios New driver model and basis for future certification program Integrated user experience Windows logon, local and domain Device and feature discovery Enterprise management Disable Windows Biometric Framework via Group Policy Allow use for applications but not for domain logon

38 Strong Authentication SmartCard Smart card Plug-and-Play Windows Update and WSUS/SUS based driver installation Pre-Logon driver installation Non-Admin based driver installation Smart card class mini-driver NIST SP800-73-1 (PIV) support INCITS GICS (Butterfly) support Windows 7 Smartcard Framework improvements Improved support for Biometric Based Smart card unlock New APIs enabling Secure Key Injection

39 Strong Authentication ECC based Smartcard logon Windows 7 supports: smartcard enrollment for ECC certificate logon with ECC based certificate

40 Strong Authentication Strong authentication based access control ‘Smart card required’ for remote access checks Admin: Associate Group SID with an Issuance Policy OID Admin: Configure logon certificate template with the issuance policy OID above Admin: Restrict access to a remote object using the Group SID used in the first step above User: logon with a certificate based on the certificate template above Kerberos will add the group SID to the user token

41 41 Strong Authentication 1. Biometric 2. Smartcard

42 Public Key Infrastructure Windows 7 Investments HTTP Based Enrollment Server Consolidation Improved Existing Scenarios Scenarios Strong Authentication

43 43

44 44 Related Content IDA02-ILL: Setting Up and Configuring Active Directory Certificate Services (AD CS) November 5 09:00 - 10:15 November 5 09:00 - 10:15 November 6 16:20 - 17:35 November 6 16:20 - 17:35 IDA04-IS: All You Ever Wanted to Ask about Designing and Operating an Enterprise PKI November 6 14:40 - 15:55

45 45 With an amazing line up of international speakers, there are even more chances to win an evaluation prize! So make sure you submit feedback for all the sessions you attend! Don’t forget to complete your session feedback forms via the CommNet terminals or the Registered Delegate Pages for your chance to win a HTC Touch Dual! http://www.microsoft.com/emea/teched2008/itpro/feedback.aspx Now extended from 2 to 24 hours after session for more chance to WIN

46 www.microsoft.com/teched Tech·TalksTech·Ed Bloggers Live SimulcastsVirtual Labs http://microsoft.com/technet Evaluation licenses, pre-released products, and MORE! Resources for IT Professionals 46

47 47 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "1 Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2."

Similar presentations

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Understanding Active Directory

Understanding Active Directory
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Tech·Ed North America /19/2017 7:21 AM

Tech·Ed North America /19/2017 7:21 AM
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.
Understanding Active Directory

Understanding Active Directory
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.
Wally Mead Senior Program Manager Microsoft Corporation.

Wally Mead Senior Program Manager Microsoft Corporation.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google