What This Short Cut Will Cover

This Short Cut covers the implementation of encryption solutions in a Windows networking environment. Specifically, this book covers the step-by-step installation of Encrypted File System (EFS), IPSec-encrypted transport communications between Windows devices, 802.1x wireless encryption, and certified-based encryption in a Microsoft Exchange 2003 environment.

Learning Through Implementation

Unlike some whitepapers that spend the first 100 pages going over planning and implementation methodologies and frameworks, and another 100 pages on theoretical design and architecture of the technology for small, medium, and large organizations, this Short Cut jumps right in to configuring and implementing encryption in a Windows environment. The intention of this Short Cut is to enable you to quickly follow the step-by-step procedures so that you can implement the technologies in a lab environment.

After you successfully implement the technologies on one or two systems (or virtual sessions) in a lab environment, you will quickly understand how to configure and make the technologies work. You can then spend time reading other texts on planning, designing, and implementing the technologies in a production environment. If your production environment is a single domain in a single forest with a relatively simple environment, you might find that this Short Cut is all you need to implement the technologies in a production environment when a one- or two-server implementation meets the needs of the organization.

For IT professionals who need to expand this technology into larger or more complex environments, this Short Cut will reference resources at the end that will help you do more elaborate planning and enterprise implementations.

Having a Windows 2003 Network Infrastructure

This Short Cut assumes you have a Windows 2003 Active Directory environment. The technologies covered here do not require all servers to be Windows 2003; however, the Active Directory needs to be at a Windows 2003 level in order for autoenrollment of certificates to work, which is a core component for certificate-based security covered in this text.

Also, this Short Cut will note when the configuration being performed will only work in a Windows 2003 environment; give prerequisites for each of the components covered; and offer other tips, tricks, and lessons learned relative to the environment covered here.

Having an Understanding of Windows Networking

This Short Cut assumes you are familiar with Windows 2003 and Active Directory networking environment, such as that of a server, know what a domain controller is, and understand how to navigate around Active Directory Users and Computers or an MMC administrative tool. If you are not an expert on Windows but are pretty good at following instructions, don't worryyou will be able to easily follow along using the steps and screenshots provided in this Short Cut.

With the assumption that you have worked with Windows fairly extensively and want to jump right into understanding and configuring Windows encryption, certificates of authority, and email encryption, this Short Cut does away with introductory materials, lengthy technology introductions, and explanations of basic system configuration settings. This allows you to immediately start configuring and experiencing the operations of encrypted security in a Windows environment as quickly and effectively as possible.

Understanding the Meat of This Short Cut

This Short Cut focuses on encryption in a Windows environment as a method of securing information. The traditional method of securing information is to provide access lists of users who have access to the information. However, the problem with access list security is that once security access is provided to a user, the only way to protect the content is to remove the user from the access list.

The preferred method of security, and something that auditors have begun to request, is certificate-based encrypted security. Certificate-based means that credentials are issued by a security administrator to a user or to a computer for access to information. The certificate can be revoked and a new certificate can be issued to the same user or computer, thus allowing a user's access rights to be renewed with a new certificate in the event that the user's access information was compromised.

Using encryption scrambles the information so that someone without a valid certificate cannot read or access the information, thus providing the privacy that security and compliance auditors want for information access in today's regulated environment. The encryption is set by the certificate so that the certificate, as well as encrypted content, can be shared with others. Additionally, the certificate can be revoked and reissued for the same encrypted content to provide private and secured access to information on an ongoing basis.

The only problem with certificate-based encryption was that certificates previously had to be issued manually, which meant that every time someone needed a certificate, a security administrator had to issue the certificate and then email it to the user. When the user felt his certificate was compromised, a new certificate had to be issued, and the user had to manually reinstall the new certificate. Depending on the sophistication of the user, issuing certificates could be a help desk nightmare.

Windows 2003 Active Directory and Windows XP laptop and desktop computers now have the capability of automating the issuance and installation of certificates. With a concept known as autoenrollment of certificates, a certificate is automatically issued from a certificate server directly to a Windows 2003 Active Directory user and computer account. When the user logs in or the computer is booted up, the certificate is automatically downloaded from Active Directory to the workstation and installed. Immediately, a user or computer system has a valid certificate that can be used for secured encrypted access for files, transport communications, wireless networking, or email messaging.