Exam Objectives Fast Track


Planning a Windows Server 2003 Certificate-Based PKI

  • A PKI combines public key cryptography with digital certificates to create a secure environment where network traffic such as authentication packets can travel safely.

  • Public keys and private keys always come in pairs. If the public key is used to encrypt data, only the matching private key can decrypt it.

  • When public key-encrypted data is encrypted again by a private key, that private key encryption is called a digital signature.

  • Digital signatures provided by ordinary users aren’t very trustworthy, so a trusted authority is needed to provide them. The authority (which can be Windows-based) issues certificates, which are basically digitally signed containers for public keys and other information.

  • Certificates are used to safely exchange public keys and to provide the basis for applications such as IPSec, EFS, and smart card authentication.

Implementing Certification Authorities

  • Certificate needs are based upon which applications and communications an organization uses and how secure they need to be. Based on these needs, CAs are created by installing certificate services and are managed using the Certification Authority snap-in.

  • A CA hierarchy is structured with a root and one or more level of subordinates – three levels is common. The bottom level of subordinates issues certificates. The intermediate level controls policies.

  • Enterprise CAs require and use Active Directory to issue certificates, often automatically. Stand-alone CAs can be more secure and need an administrator to manually issue or deny certificate requests.

  • CAs need to be backed up consistently and protected against attacks. Keys can be archived and later retrieved if they are lost. This is a new feature for Windows Server 2003.

  • CAs can revoke as well as issue certificates. After a certificate is revoked, it needs to be published to a CRL distribution point. Clients check the CRL periodically before they can trust a certificate.

Planning Enrollment and Distribution of Certificates

  • Templates control how a CA acts when handed a request and how to issue certificates. There are quite a few built-in templates, or you can create your own using the Certificate Template snap-in. Templates must be enabled before a CA can use them.

  • Certificates can be requested with the Certificates snap-in or by using Internet Explorer and pointing to http://servername/certsrv on the CA.

  • Machine and user certificates can be requested with no user intervention requirement by using auto-enrollment. Auto-enrollment for user certificates is new to Windows Server 2003.

  • Role-based administration is recommended for larger organizations. Different users can be assigned permissions relative to their positions, such as certificate manager.

Implementing Smart Card Authentication in the PKI

  • Smart cards are credit card-like devices that embed a microprocessor. They can securely hold public/private keys, certificates, and other information.

  • Users insert smart cards into readers and enter a PIN to use information contained on the card. Authentication is the most popular application of the technology, followed by secure e-mail services.

  • To deploy smart cards, you need to configure the CA to issue smart card and enrollment agent certificates, set up an enrollment agent, and set up an enrollment station. Smart cards have to be enrolled, or set up with appropriate information, before someone can use one.

  • Smart cards are increasingly used for remote access authentication, such as over a company VPN. Cards can also be used for securely logging on to a terminal server.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net