Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

Published byWarren Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003."— Presentation transcript:

1 Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003

2 Solution Overview Situation ● Microsoft needed a platform for securing internal and external network communications Solution ● Microsoft IT installed Certificate Services to implement a secure communications and remote authentication infrastructure Benefits ● Enabled the use of S/MIME signatures and encryption ● Secured Web connections ● Ensured the confidentiality of stored and transmitted data ● Ensured the confidentiality and integrity of transmitted data by using IPSec ● Enabled strong network user authentication

3 Products and Technologies ● Windows 2000 Server ● Windows Server 2003 ● Windows-based PKI and CA ● Certificate Services ● Active Directory ● Windows XP Professional ● Microsoft Office Outlook 2003 ● Smart Cards ● EFS, IPSec, S/MIME, SSL

4 Deployment Windows 2000 Server PKI ● CA hierarchy ● Integration of PKI into Active Directory

5 Deployment Windows 2000 Server PKI ● Network and server performance ● Security requirements ● Windows 2000 Server Certificate Services ● CRL lifetime

6 Architecture Windows 2000 Server PKI Microsoft Corporate Root Authority – Offline Root Microsoft Intranet CA – Offline Intermediate 1 Microsoft Extranet CA –Offline Intermediate 2 Microsoft IT vault Intranet Machine CA 1 Intranet Machine CA 2 FTE User CA 1 FTE User CA 2 Non-FTE User CA 1 Intranet Level 2 User CA 1 Intranet Level 2 User CA 2 Personnel E-mail CA 1 Extranet Machine CA 1 Intranet Network CA 1

7 Benefits of Upgrading the PKI to Windows Server 2003 ● Extended certificate templates ● Key archival and recovery ● Extended autoenrollment

8 Deployment Windows Server 2003 PKI ● Server consolidation ● Sanitization of certificates ● Inclusion of public root hierarchy

9 Deployment Windows Server 2003 PKI ● CA server management and support ● Smart Card deployment

10 Architecture Windows Server 2003 PKI Microsoft Corporate Root Authority – Offline Root Microsoft Intranet CA – Offline Intermediate Offline Intermediate Third-Party External Public Root Authority – Offline Root Microsoft CA – Offline Intermediate Microsoft IT vault Personnel E-mail CA 1 Public-Facing SSL CA 1 Intranet Level 2 User CA 1 Intranet Level 2 User CA 2 Corporate Enterprise CA 2 Corporate Enterprise CA 1

11 Lessons Learned and Best Practices ● Plan for the upgrade to Windows Server 2003 PKI ● Carefully consider the number of CA servers needed ● Implement a multiple-tier hierarchy ● Consider integration with a public root

12 Lessons Learned and Best Practices ● Automate CRL Publication ● Customize the CRL Publication Overlap Interval ● Use New Keys for CA Renewal

13 Lessons Learned and Best Practices ● Plan for certificate issuance policies ● Sanitize elements of the PKI ● Do not use DSA keys with Windows CE– based devices

14 Future Directions ● Export of KMS database to Windows Server 2003 Certificate Services database ● Extension of PKI and Smart Card infrastructure

15 Summary ● Increased security ● Application and service compatibility ● Reduced certificate costs ● Ease of manageability ● Conformance to industry standards ● Scalability

16 For More Information ● White papers ● Websites

17 For More Information ● Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com http://www.microsoft.com ● Microsoft TechNet http://www.microsoft.com/technet/itshowcase http://www.microsoft.com/technet/itshowcase ● Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies ● E-mail IT Showcase showcase@microsoft.com

18 This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Download ppt "Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003."

Similar presentations

Harnessing the power of SWIFT for enterprise financial messaging Published: April 2007 Microsoft BizTalk Accelerator for SWIFT.

Harnessing the power of SWIFT for enterprise financial messaging Published: April 2007 Microsoft BizTalk Accelerator for SWIFT.
The following 10 questions test your knowledge of client site assignment in Configuration Manager 2007. Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
4/6/ :35 AM © 2004 Microsoft Corporation. All rights reserved.

4/6/ :35 AM © 2004 Microsoft Corporation. All rights reserved.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.

1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Windows Server System TM Overview IT Expectations: Do More with Less.

Windows Server System TM Overview IT Expectations: Do More with Less.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:

Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:
ESupport Shifting Customers to the Internet for Support Published: January 2002.

ESupport Shifting Customers to the Internet for Support Published: January 2002.
Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.

Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
Deploying Visual Studio Team System 2008 Team Foundation Server at Microsoft Published: June 2008 Using Visual Studio 2008 to Improve Software Development.

Deploying Visual Studio Team System 2008 Team Foundation Server at Microsoft Published: June 2008 Using Visual Studio 2008 to Improve Software Development.

Similar presentations

Ads by Google