Creating a Public Key Infrastructure (PKI) environment takes quite a bit of time and planning to build and effort to maintain. Administrators often have to plan well beyond the current levels of hardware and software available to them at the time of implementation. If the company's PKI infrastructure was built on Windows 2000 the administrators may want to improve their environment with new functionality built in to Windows Server 2003. With the advancements in Windows Server 2003's Certificate Services and Group Policies much of the administrator's time, planning, effort, and wishes will finally pay off. Creating and issuing certificates to computers and users has become much easier to deploy and ultimately to maintain and manage. Using Windows Server 2003 UpdatesAdministrators have at their disposal a very cost-effective platform to deploy a PKI infrastructure on Windows Server 2003. The new features that are available with this product are as follows :
Choosing the CA RolesAdministrators have many choices in their enterprise security architecture. One of the choices related to PKI and smartcard secured access is the deployment of the CA roles within their organization:
The Server Does Not Have to Be a Domain Controller Administrators can install an Enterprise CA on any domain member server. The server does not have to be a domain controller. This practice is especially important for security concerns and separating CA roles. The most important CA role, as it relates to smartcard deployment, is the Enterprise Root CA. The Microsoft Windows Server 2003 Enterprise CA has the following characteristics:
For Administrators to Enable Support of Certificate Autoenrollment... For administrators to enable support of certificate autoenrollment, the Enterprise CA must be installed on either a Windows Server 2003 Enterprise or Datacenter Edition server. Using the Web Enrollment Site to Obtain Certificates Users and computers that are not domain members , or don't support autoenrollment, can use the Web enrollment site to obtain certificates. The Enterprise CA is an ideal solution for a network with a Windows Server 2003 domain. All domain members can be assigned certificates via Group Policy “based certificate autoenrollment. You can limit the scope of autoenrollment by assigning permissions to the certificate template. Incorporating SmartcardsBy using the security access philosophy of "Something you know, something you have, and something you are," information technology administrators can significantly increase their network security. The more you can do to keep people from impersonating valid log-in attempts, the more secure the data and network resources will become. To detail the best practices that lead to secured information system access, the three items are as follows:
Securing Log-insEnd users in a less than secure environment can easily use someone else's username and password. This is especially open to attack when the impersonator is coming from a remote location. No one is watching the attacker sit at a remote terminal and access all the company's data. By using a physical device such as a smartcard, secure ID, or other device, administrators can be more assured that users are actually who they say they are when they log-in. The machines that are authenticated in Active Directory are usually known entities. This piece of information gives you a good idea of where the user is logging in from. Securing E-mailSending certified, or signed, e-mail in an application such as Outlook can be performed using smartcards. Using certificates stored on the smartcard to sign the end-user's e-mail enables the recipient to know that the sender is who he actually says he is. Certificates can also be used to make sure that only the intended recipient can open and read the e-mail sent. Securing DocumentsEncrypted File System (EFS) can be employed to secure sensitive company data. This is especially critical for administrators who are tasked with protecting data on laptops and other portable devices. Windows Server 2003 now supports EFS on offline folders and multiple user access. It is also harder for unauthorized recovery of EFS folders by third parties. EFS renders the data unreadable to anyone who is not granted access to that content. Securing BuildingsSmartcards can be incorporated into a company's identity badge that has a radio frequency identification (RFID) capability. Card readers can be installed on the exterior, or on critical access internal doors. Maintaining an accurate record of smartcard holders and what level of access they have can be extremely useful. All entry accesses can be centrally logged and can be audited by the administrator or security personnel. |